To help admins, WordFence has worked with the WordPress plug-in team to patch pre-4.4.5 versions of the plug-in, the author’s been blocked from publishing updates without WordPress review, WordFence now includes firewall rules to block Captcha and five other plugins from the same author.
Matt Barry explained that the group took interest in the plug-in when after it changed hands in September. Three months after that, Captcha version 4.3.7 landed, and that’s the version that WordFence found carried the backdoor.
The plug-in’s auto-downloader “downloads a ZIP file from https://simplywordpress[dot]net/captcha/captcha_pro_update.php”, which is how the backdoor is put onto the target install.
“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself.”
1 < $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_pro_update.php'; 2 --- 3 > $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_free_update.php';
WordFence pointed the finger at a group of people it considers repeat offenders: domain records, the post said, link simplywordpress[dot]net with one Martin Soiza, via a domain contact e-mail belonging to Stacy Wellington.
The group’s Mark Maunder put together a backgrounder on Soiza in September 2017.
Other plug-ins from the simplywordpress site are Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange – and all of them contain the backdoor code, Barry wrote.
The point of the backdoor, the post said, is to create cloaked backlinks to various payday loan businesses, to boost their Google rankings. As well as Soiza and Stacy Wellington, Barry traced links to a number of payday loan companies, some registered to Soiza, one to Charlotte Anne Wellington. ®