A recent report from Sucuri revealed that the Eval PHP WordPress plugin is being exploited by threat actors to install backdoors on target websites. Despite being abandoned for more than a decade, the plugin’s inherent vulnerabilities have made it easy for attackers to use it for malicious purposes.
Eval PHP was initially developed to enable WordPress admins to add PHP codes to their articles or blogs, disable PHP error messages, and perform other related functionalities. However, due to a lack of updates from its developer, the plugin remained dormant in the WordPress repository.
In April 2023, Sucuri noticed a sudden surge in the number of installations of the Eval PHP plugin. Upon investigating, they uncovered a malicious campaign that exploits the plugin to infect websites with backdoors. The attackers first install the vulnerable plugin on a target website, which is easy to do since the plugin is still available on the official WordPress plugin repository.
The attackers then create draft posts on the target website to execute malicious PHP backdoors. In some cases, they even create drafts with admin accounts.
According to Sucuri, the most effective way for WordPress admins to detect a compromise on their website is to check for the presence of Eval PHP, especially if they didn’t install the plugin themselves. The presence of the plugin indicates a compromised state with the potential presence of backdoors. To avoid malicious exploitation, Sucuri recommends securing admin accounts with 2FA, keeping the site updated with the latest patches, and running a robust WAF.
In conclusion, the exploitation of Eval PHP WordPress plugin is a reminder that abandoned plugins with known vulnerabilities can pose a serious threat to website security. Website owners should be cautious when using such plugins and keep their sites up-to-date with the latest security patches. Additionally, using robust security measures like 2FA and WAF can help prevent malicious exploitation of vulnerabilities.