Plugin possible compromised
-
we found a hack today and it was nested in this plugin. Please take a look and keep an eye out
-
I’ve found 4 sites using https://www.ads-software.com/plugins/wp-accessibility/ that are hacked. 3 on different servers and 2 more, both of which I don’t even manage or have anything to do with. The Sucuri Scanners are showing the same exploits. Either that or there was a hole somewhere else. I’m guessing its this plugin since they all share this same common denominator. I let the plugin devs know but no reply yet.
they all seemed to have a similar exploit as seen here https://share.getcloudapp.com/Jru7WZA8
once I deleted the plugin the actual root of the cause was gone. At that point, there was an injection of some kind. To add further headache, out of nowhere an admin user was created using some sort of fake WooCom email address.
All 3 sites seemed to be running different versions of WooCommerce too. I suppose it very well could be Woo related as well but the fact it was nested in the plugin was sort of a red flag to me.
We were running the latest versions of WP Accessibility Helper. Usually, I can sniff out the malicious code but this was really sneaky. I reported to Sucuri but unfortunately, I had deleted the plugin prior to the cleanup.
We were using the latest version of WordPress too. All other plugins were updated too.
the footer had a big gap in it and there were some weird iframes like so https://share.getcloudapp.com/04ugKEmZ. They were being created by this https://share.getcloudapp.com/7KuyRQL1
Hope that helps.
I don’t mean to cause alarm but if its a glaring hole hopefully we can knock it quickly.
And sorry I half posted info… I accidentally posted the rest of the info to another similarly named plugin… oops.
- The topic ‘Plugin possible compromised’ is closed to new replies.
