WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext

Posted by timothy on Friday March 4, 2016 @10:44PM from the considered-harmful dept.

An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. "This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user's password is collected (in cleartext) and sent to his server. WordPress hasn't moved in to ban the plugin just yet, despite user complaints.

1 of 76 comments (clear)

Min score:

Reason:

Sort:

Is WordPress... by Alypius · 2016-03-04 22:49 · Score: -1, Offtopic

...the new WordPerfect? I mean, while I'm sitting here trying to format a thesis, I'm hit with the "ZOMG BACKDOOR" headline. I mean, sure, if someone really wants to know how badly Uttar Pradesh is fucking up basic electricity (half the size of California with twice the population and a third of the electrification, all of which is based on who got elected), then hey, Hillary totes deserves election becuz vayjayjay or something.