Wordfence Security Plugin

We found new intresting malware that infected WordPress and Wordfence Security plugin. This malware filename is random numeric with php extension. Unlink When it just executed from remote GET Request, it remove itself at first. So it’s difficult know what happened on server and what case infection to WordPress and Wordfence. wp-blog-header.php It modifying WordPress … Read more

RCE Attempts Against the Latest WordPress API Vulnerability

We are see remote command execution (RCE) attempts trying to exploit the latest WordPress API Vulnerability. The attackers trying to exploit sites that have plugins like the Insert PHP, Exec-PHP and similar installed plugins. These plugins, allow users to insert PHP code directly into the posts as a way to make customizations easier. Coupled with … Read more

Content Injection Vulnerability in WordPress 4.7.x API

A new dangerous content injection vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw in the WordPress REST API. A fix for this was silently included on version 4.7.2 along with other less severe issues. Introduction This privilege escalation vulnerability affects the WordPress REST API that was recently added … Read more

common.php (Object Injection Vulnerability in Backup & Restore Dropbox)

WordPress plugin Backup & Restore Dropbox have PHP Object Injection Vulnerability. It’s allow remote download malware to the server. This vulnerability founded by pluginvulnerabilities.com and published it. We found that vulnerability try malware download common.php malware to server via FTP Protocol. Real Post Payload First file_get_contents download common.php malware and file_put_contents write it to server. … Read more

gzpdecode.php

WordPress Vulnerability in Cherry Plugin – Arbitrary File Upload The Vulnerability allow an attacker to upload all types of files without administrator login. /wp-content/plugins/cherry-plugin/admin/import-export/upload.php This is fixed latest version of Cherry Plugin, but all customers won’t update their website and files. Interesting comes heres, botnetwork search this old vulnerability and if found they upload malware … Read more

yiw_contact sendemail file upload vulnerability

Looking better POST payload, header looks normal request: In the below HTTP Post, there were 2 parameters that started with yiw. This indicates that the attacker is likely trying to explpoit the Beauty & Clean Theme File Upload WordPress Vulnerability which is literally as simple as posting your backdoor file to the contact field via … Read more

work1.php

This is old Arbitrary File Upload Vulnerability in Cherry Plugin (Worpdress). Malware tries patch .htaccess files and add own redirect that file. When a user access website with correct browser, then redirect activates and redirect user to another page. Last malware unlink (removes) itself. Full sourcecode

wp.php

If we look inside this PHP script (only a small part of the code): Execute wp.php If we run this, we found PHP Command shell WSO 2.5 (backdoor) this file: Detect this malware Malware Expert – Signatures found this malware from php code, if you want use our signatures for free.