Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext

Posted by timothy on from the considered-harmful dept.

An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. "This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user's password is collected (in cleartext) and sent to his server. WordPress hasn't moved in to ban the plugin just yet, despite user complaints.

4 of 76 comments (clear)

  1. plugin has been suppressed from the wordpress site by Herve5 · · Score: 4, Informative

    I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

    --
    Herve S.
  2. Re:plugin has been suppressed from the wordpress s by Hognoxious · · Score: 3, Funny

    So somebody did the needful?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  3. Re:Chill. It's just a buggy update feature. by Anonymous Coward · · Score: 3, Funny

    First rule of Wordpress: never use any plugins or themes
    Second rule of Wordpress: never use stock wordpress without additional plugins to fix security

    Make sure to follow both rules at all times or don't use Wordpress at all.

  4. Re:Truly irresponsible by Dunbal · · Score: 3, Funny

    The developer should be extradited

    Why? He didn't hack a movie studio or a music studio, nor did he hack the government. Extradited, hahahahahahahahaha oh wait you were serious...

    --
    Seven puppies were harmed during the making of this post.