Thousands of WordPress sites targeted with malicious plugin backdoor attacks
- Security researchers found JavaScript code installing four backdoors to WP-powered sites
- They also found a vulnerable plugin enabling full website takeover
- There are patches and mitigations for all these vulnerabilities
A single piece of JavaScript code deployed no less than four separate backdoors onto roughly 1,000 WordPress websites, according to a new report from cybersecurity researchers c/side, who detailed the four backdoors and explained how website builder users should protect themselves.
The analysis did not elaborate how the malicious JavaScript made it into these websites – we can assume either weak or compromised passwords, a vulnerable add-on, or similar. In any case, the code is served via cdn.csyndication[dot]com, a domain mentioned in at least 908 websites.
It deploys four backdoors. One installs a fake plugin named “Ultra SEO Processor” that can execute commands remotely, one injects malicious JavaScript into wp-config.php, one adds an SSH key to allow threat actors persistent access, and one runs commands remotely and opens a reverse shell.
You may like
Chaty Pro 10/10
To minimize the risk, c/side advises website owners delete unauthorized SSH keys, rotate their WP admin credentials, and scan system logs for any suspicious activity.
At the same time, PatchStack found Chaty Pro, a popular WordPress plugin with some 18,000 installations, was enabling malicious file uploads on websites where it was installed. Chaty Pro allows owners to integrate chat services with social messaging tools.
The flaw is tracked as CVE-2025-26776 and has a 10/10 severity score (critical). Since threat actors can use it to upload malicious files, it can lead to full website takeover, hence the critical severity. Infosecurity Magazine reports the function included a whitelist of allowed file extensions which was, sadly, never implemented.
“Uploaded file name contains the upload time and a random number between 100 and 1000, so it is possible to upload a malicious PHP file and access it by brute forcing possible file names around the upload time,” PatchStack explained.
Chaty Pro’s maintainers released a fix on February 11. All users are advised to upgrade the extension to version 3.3.4.
Via The Hacker News
You might also like
Security researchers found JavaScript code installing four backdoors to WP-powered sites They also found a vulnerable plugin enabling full website takeover There are patches and mitigations for all these vulnerabilities A single piece of JavaScript code deployed no less than four separate backdoors onto roughly 1,000 WordPress websites, according to…
