Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext

Posted by timothy on from the considered-harmful dept.

An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. "This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user's password is collected (in cleartext) and sent to his server. WordPress hasn't moved in to ban the plugin just yet, despite user complaints.

4 of 76 comments (clear)

  1. Re:plugin has been suppressed from the wordpress s by Hognoxious · · Score: 3, Funny

    So somebody did the needful?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  2. Re:Chill. It's just a buggy update feature. by Anonymous Coward · · Score: 3, Funny

    First rule of Wordpress: never use any plugins or themes
    Second rule of Wordpress: never use stock wordpress without additional plugins to fix security

    Make sure to follow both rules at all times or don't use Wordpress at all.

  3. Re:Chill. It's just a buggy update feature. by drinkypoo · · Score: 2, Funny

    First rule of Wordpress: never use

    Here, FTFY: Your comment could have just stopped here. You could also omit the first three words without compromising it in any relevant way.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:Truly irresponsible by Dunbal · · Score: 3, Funny

    The developer should be extradited

    Why? He didn't hack a movie studio or a music studio, nor did he hack the government. Extradited, hahahahahahahahaha oh wait you were serious...

    --
    Seven puppies were harmed during the making of this post.