While reviewing malware, the SiteLock Research Team detected suspicious code in a WordPress plugin. We reviewed the suspicious code and found the plugin wasn’t malicious per se, though it was potentially vulnerable to attack. We will discuss the plugin and analyze its unique authentication issues, and then discuss mitigation and the dangers of using unsupported plugins.
Detection and Analysis
The WordPress plugin in question was File Browser, Manager, Backup (+ Database). The plugin enabled authenticated users to view and edit files, create database backups, and run arbitrary commands. The plugin had less than 1,000 installs, and there was little information about the plugin in its description or changelog.
The plugin was ‘temporarily stopped’ three weeks before we detected it. The plugin was disabled through a line of code added to filemanager.php, but only site owners who updated the plugin would have the disabling code. A site developer might even roll-back the code if they realized the update stopped the plugin from working. Without that line of code, the plugin can be used normally and, as it turns out, be exploited in specific conditions.
Authentication is a critical component of online services, separating administrative privileges from a website’s visitors. WordPress includes its own administrative services and protections, allowing plugins to rely on WordPress’ security features to protect restricted services. Plugins don’t always use these features correctly, preferring instead to use their own security implementations which can result in insecure authentication.
The File Browser plugin begins its security by determining if the plugin’s readme file is present. If it finds readme.txt, it then examines user levels to authenticate the user.
Unfortunately, the user levels method of authentication was deprecated as of WordPress 3.0. Even before it was depreciated, there was already a better authentication alternative in WordPress 2.0 — and the plugin claimed to be compatible with WordPress up to version 3.5.2.
The plugin’s authentication was built around these two requirements: the presence of a readme file and an outdated WordPress authentication method. When trying to use the plugin unauthenticated, it should block access.
But if the plugin’s readme file was renamed or removed, the authentication process fails and grants complete access to the plugins’ core functionality.
It’s not clear if the reliance on deprecated WordPress authentication could cause the plugins’ authentication process to fail. But the reliance on the presence of the readme file was dangerous as it’s not uncommon for a site owner or web developer to remove unnecessary text files, like readmes, as part of a site cleanup.
The SiteLock Research Team notified WordPress.org of the defunct plugin and it was quickly removed.
- 2 Feb 2016 – Notified firstname.lastname@example.org of the defunct plugin
- 2 Feb 2016 – WordPress.org responded they would investigate
- 3 Feb 2016 – Plugin was removed from WordPress.org.
Mitigation and Prevention
If you have the File Browser, Manager, Backup (+ Database) plugin installed, we recommend removing the plugin as soon as possible, either through the WordPress admin or deleting the file-manager-database-backup directory inside wp-content/plugins. As the file manager can be used to view WordPress config files, you should change all of the database passwords to strong, unique passwords for every site under that hosting account. Finally, as this plugin can be exploited to upload malicious content, use a malware scanner to check the remaining files on the site for malicious code.
The File Browser plugin was clearly unsupported and poorly maintained, and unsupported or poorly maintained plugins are found on many WordPress sites. Avoid using unsupported plugins as much as possible. A WordPress site owner can examine the support for a plugin by examining the plugin’s information on WordPress.org. Well-supported plugins will have an accurate and timely changelog, a recently updated version listed, and a ‘compatible up to’ that is near or equal the latest WordPress version.
Contact SiteLock today to learn more about the cybersecurity landscape, and what you can do to make sure your site doesn’t fall victim to a successful cyberattack.