Thousands of WordPress sites targeted with malicious plugin backdoor attacks

News
By published

JavaScript was deploying four separate backdoors on vulnerable websites

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)
  • Security researchers found JavaScript code installing four backdoors to WP-powered sites
  • They also found a vulnerable plugin enabling full website takeover
  • There are patches and mitigations for all these vulnerabilities

A single piece of JavaScript code deployed no less than four separate backdoors onto roughly 1,000 WordPress websites, according to a new report from cybersecurity researchers c/side, who detailed the four backdoors and explained how website builder users should protect themselves.

The analysis did not elaborate how the malicious JavaScript made it into these websites - we can assume either weak or compromised passwords, a vulnerable add-on, or similar. In any case, the code is served via cdn.csyndication[dot]com, a domain mentioned in at least 908 websites.

It deploys four backdoors. One installs a fake plugin named “Ultra SEO Processor” that can execute commands remotely, one injects malicious JavaScript into wp-config.php, one adds an SSH key to allow threat actors persistent access, and one runs commands remotely and opens a reverse shell.

Chaty Pro 10/10

To minimize the risk, c/side advises website owners delete unauthorized SSH keys, rotate their WP admin credentials, and scan system logs for any suspicious activity.

At the same time, PatchStack found Chaty Pro, a popular WordPress plugin with some 18,000 installations, was enabling malicious file uploads on websites where it was installed. Chaty Pro allows owners to integrate chat services with social messaging tools.

The flaw is tracked as CVE-2025-26776 and has a 10/10 severity score (critical). Since threat actors can use it to upload malicious files, it can lead to full website takeover, hence the critical severity. Infosecurity Magazine reports the function included a whitelist of allowed file extensions which was, sadly, never implemented.

“Uploaded file name contains the upload time and a random number between 100 and 1000, so it is possible to upload a malicious PHP file and access it by brute forcing possible file names around the upload time,” PatchStack explained.

Chaty Pro’s maintainers released a fix on February 11. All users are advised to upgrade the extension to version 3.3.4.

Via The Hacker News

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Ransomware
Researchers hijack thousands of backdoors thanks to expired domains
Latest in Security
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Data leak
Top California sperm bank suffers embarrassing leak
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
Avast cybersecurity
An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
ID theft
Hackers claim Orange attack, threaten to leak 1TB of data
Latest in News
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
The Nanoleaf PC Screen Mirror Lightstrip being used on a desktop computer.
Mac gaming could get an intriguing boost – but not in the way you'd expect
Snapdragon G Series
Qualcomm poised to muscle in on AMD's territory with powerful gaming handheld processors
David running in the desert in House of David.
Prime Video’s hit new historical drama will continue its reign for another season as House of David gets renewed
Student sat at a desk with a laptop in a dormitory looking at a mobile phone
Windows 11 could eventually help you understand how fast your PC is - as well as offer tips for making your PC or laptop faster for free
Veresa attacks an enemy in Genshin Impact.
Genshin Impact Version 5.5 arrives next week, adding a new five star character obsessed with food
More about security
Data leak

Top California sperm bank suffers embarrassing leak
AI tools.

Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
David running in the desert in House of David.

Prime Video’s hit new historical drama will continue its reign for another season as House of David gets renewed
See more latest
Most Popular
David running in the desert in House of David.
Prime Video’s hit new historical drama will continue its reign for another season as House of David gets renewed
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
The Nanoleaf PC Screen Mirror Lightstrip being used on a desktop computer.
Mac gaming could get an intriguing boost – but not in the way you'd expect
Data leak
Top California sperm bank suffers embarrassing leak
Snapdragon G Series
Qualcomm poised to muscle in on AMD's territory with powerful gaming handheld processors
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Thursday, March 20 (game #382)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Thursday, March 20 (game #648)
Quordle on a smartphone held in a hand
Quordle hints and answers for Thursday, March 20 (game #1151)
Veresa attacks an enemy in Genshin Impact.
Genshin Impact Version 5.5 arrives next week, adding a new five star character obsessed with food
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware