Recently at Sucuri, we investigated a malware case reported by one of our clients. Their WordPress site was compromised, and the attacker had installed a fake plugin. Upon analysis revealed that it was a sophisticated backdoor plugin designed to create a persistent and hidden administrator account.

What Did We Find?

The infection was located inside the WordPress plugins directory:

./wp-content/plugins/wp-compat/wp-compat.php

The plugin claimed to fix compatibility issues with newer WordPress and PHP versions.

Continue reading Unauthorized Admin User Created via Disguised WordPress Plugin at Sucuri Blog.

Via Sucuri.net