CyberSecurityBoard
Sponsor Register Login

Stealthy Backdoor in WordPress Plugins Gives Attackers Persistent Access to Websites

Upon execution, the malware fetches remote payloads from a concealed URL and stores them directly in the WordPress database under the option key “_hdra_core”, effectively bypassing filesystem-based security scans that focus primarily on file modifications. A sophisticated WordPress malware campaign has been discovered operating through the rarely monitored mu-plugins directory, giving attackers persistent access to compromised websites while evading traditional security measures. This approach ensures the malware survives standard cleanup procedures while providing attackers with remote code execution capabilities and complete administrative control over compromised WordPress installations. The researchers observed that the malware creates a hidden administrative user named “officialwp” while simultaneously hiding its presence from the WordPress user interface through carefully crafted filter functions. This framework includes a covert file manager disguised as “pricing-table-3.php” within the active theme directory, protected by a custom authentication token “fsociety_OwnzU_4Evr_1337H4x!” transmitted via HTTP headers. The malicious code, identified as wp-index.php, exploits WordPress’s “must-use plugins” functionality to maintain continuous operation without the possibility of deactivation through the admin panel. Sucuri analysts identified this particularly insidious threat during routine malware investigations, noting its exceptional ability to maintain persistence across multiple infection vectors. Rather than relying solely on file-based infections that can be detected through integrity monitoring, the backdoor stores its payload within WordPress’s options table.utes this stored payload before immediately cleaning up temporary files, leaving minimal forensic evidence. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The primary loader script retrieves base64-encoded payloads from the remote server at hxxps://1870y4rr4y3d1k757673q[.]xyz/cron.php, which when decoded reveals a comprehensive malware framework.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Jul 2025 08:05:21 +0000


Cyber News related to Stealthy Backdoor in WordPress Plugins Gives Attackers Persistent Access to Websites

Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack - On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. We immediately notified the WordPress Plugin's Team and they removed the ...
1 year ago Wordfence.com
BianLian GOs for PowerShell After TeamCity Exploitation - In conjunction with GuidePoint's DFIR team, we responded to an incident that began with the exploitation of a TeamCity server which resulted in the deployment of a PowerShell implementation of BianLian's GO backdoor. The threat actor identified a ...
1 year ago Securityboulevard.com CVE-2024-27198 CVE-2023-42793 BianLian
3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords - Update #1: As of 12:36PM EST, another plugin has been infected. We've updated the list below to include this fourth plugin and the plugins team has been notified. Update #2: As of 2:20 PM EST, two more plugins appear to have malicious commits the ...
1 year ago Wordfence.com
Hackers abuse WordPress MU-Plugins to hide malicious code - Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection. However, because MU-plugins run on every page load and don't appear in the standard plugin list, ...
3 months ago Bleepingcomputer.com
CVE-2023-2813 - All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordPress theme through 1.1, Arendelle WordPress theme before 1.1.13, Atlast Business WordPress theme through 1.5.8.5, Bazaar Lite WordPress theme before ...
1 year ago
New Stealthy NodeJS Backdoor Infects Users via CAPTCHA Verifications - This campaign represents a growing trend of threat actors exploiting seemingly legitimate security measures to distribute malicious code, targeting users who are accustomed to completing CAPTCHA challenges during their regular online activities. When ...
2 months ago Cybersecuritynews.com
Stealthy Backdoor in WordPress Plugins Gives Attackers Persistent Access to Websites - Upon execution, the malware fetches remote payloads from a concealed URL and stores them directly in the WordPress database under the option key “_hdra_core”, effectively bypassing filesystem-based security scans that focus primarily on ...
4 days ago Cybersecuritynews.com
ChatGPT Extensions Could be Exploited to Steal Data and Sensitive Information - API security professionals Salt Security have released new threat research from Salt Labs highlighting critical security flaws within ChatGPT plugins, presenting a new risk for enterprises. Plugins provide AI chatbots like ChatGPT access and ...
1 year ago Itsecurityguru.org
New Balada Injector campaign infects 6,700 WordPress sites - A little over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin have been infected with the Balada Injector malware in a campaign that launched in mid-December. Initially documented by researchers at Dr. Web who observed ...
1 year ago Bleepingcomputer.com CVE-2023-6000
75K+ WordPress Sites Impacted by Critical Plugin Flaws - A large-scale breach has impacted more than 75,000 WordPress sites that are running an online course plugin. According to security researchers, the plugin has three critical vulnerabilities that could expose customer data and be used to take over ...
2 years ago Bleepingcomputer.com
WordPress Request Architecture and Hooks - Before diving into the security features of WordPress, it's critical to understand the underlying request architecture. WordPress is a dynamic system that processes and responds to user requests in various ways, depending on the nature of the request ...
1 year ago Wordfence.com
Russian Sandworm Group Using Novel Backdoor to Target Ukraine - Russian nation-state group Sandworm is believed to be utilizing a novel backdoor to target organizations in Ukraine and other Eastern and Central European countries, according to WithSecure researchers. The previously unreported backdoor, dubbed ...
1 year ago Infosecurity-magazine.com
Record Breaking $153,000+ Already Invested into the Security of the WordPress Ecosystem by Wordfence - In just a few short months since our launch in November of last year, the Wordfence Bug Bounty Program has already awarded over $153,000 in bounties to WordPress security researchers who have been responsibly reporting security issues in WordPress ...
1 year ago Wordfence.com
WordPress GravityForms Plugin Hacked to Include Malicious Code - A sophisticated supply chain attack has compromised the official GravityForms WordPress plugin, allowing attackers to inject malicious code that enables remote code execution on affected websites. The attack, discovered on July 11, 2025, represents a ...
2 weeks ago Cybersecuritynews.com Rocke
Magento supply chain attack compromises hundreds of e-stores - In all observed cases, the extensions include a PHP backdoor added to a license check file (License.php or LicenseApi.php) used by the extension. If the check is successful, the backdoor gives access to other admin functions in the file, ...
2 months ago Bleepingcomputer.com
Many popular websites still cling to password creation policies from 1985 - A significant number of popular websites still allow users to choose weak or even single-character passwords, researchers at Georgia Institute of Technology have found. The researchers used an automated account creation method to assess over 20,000 ...
1 year ago Helpnetsecurity.com
An Inside Look at The Malware and Techniques Used in the WordPress.org Supply Chain Attack - After adding the malicious code to our Threat Intelligence Database and examining it, we quickly discovered that several other plugins were also affected. We will begin with the Blaze Widget plugin which saw the largest amount of activity in terms of ...
1 year ago Wordfence.com
Alert: 'Effluence' Backdoor Persists Despite Patching Atlassian Confluence Servers - Cybersecurity researchers have discovered a stealthy backdoor named Effluence that's deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server. "The malware acts as a ...
1 year ago Thehackernews.com CVE-2023-22515 CVE-2023-22518
Using Threat Intelligence To Combat Advanced Persistent Threats (APTs) - By incorporating threat intelligence feeds into security operations, organizations gain valuable insights into the tactics, techniques, and procedures (TTPs) used by known APT groups. Modern platforms integrate contextual intelligence feeds, helping ...
3 months ago Cybersecuritynews.com
Atomic macOS infostealer adds backdoor for persistent attacks - Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. The analyzed version of the malware comes with an embedded ...
3 weeks ago Bleepingcomputer.com
Iran's Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector - In its latest campaign, Iranian state-backed hackers, Peach Sandstorm, employs FalseFont backdoor for intelligence gathering on behalf of the Iranian government. Cybersecurity researchers at Microsoft Threat Intelligence Unit have uncovered the ...
1 year ago Hackread.com
20 Best Remote Monitoring Tools - 2025 - What is Good ?What Could Be Better ?Strong abilities to keep an eye on devices and systems.Some parts may take time to figure out.It gives you tools for remote control and troubleshooting.There could be more ways to change things.Lets you automate ...
3 months ago Cybersecuritynews.com
Stealthy Rootkit-Like Malware Known as BPFDoor Using Reverse Shell to Dig Deeper into Compromised Networks - This Linux backdoor utilizes Berkeley Packet Filtering (BPF) technology to monitor network traffic at the kernel level, allowing it to remain hidden from conventional security scans while maintaining persistent access to compromised systems. Trend ...
3 months ago Cybersecuritynews.com
Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor - The latest version of the Kazuar backdoor could be more sophisticated than previously imagined, according to Palo Alto Networks. The Kazuar backdoor was used by the Russian hacking group Turla to target the Ukrainian defense sector in July 2023, the ...
1 year ago Infosecurity-magazine.com Turla
Pro-Hamas Cyberattackers Aim 'Pierogi' Malware at Multiple Mideast Targets - A group of pro-Hamas attackers known as the Gaza Cybergang is using a new variation of the Pierogi++ backdoor malware to launch attacks on Palestinian and Israeli targets. According to research from Sentinel Labs, the backdoor is based on the C++ ...
1 year ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)