Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Stealth backdoor found in WordPress mu-Plugins folder

A new stealth backdoor has been discovered in the WordPress mu-plugins folder, granting attackers persistent access and control over compromised sites. Sucuri researchers found a stealthy backdoor hidden in WordPress’s “mu-plugins” folder. These plugins auto-run and allow attackers to stay hidden in admin, and maintain persistence. “must-use plugins” are special WordPress plugins that cannot be […]

ShapedPlugin plugin

A new stealth backdoor has been discovered in the WordPress mu-plugins folder, granting attackers persistent access and control over compromised sites.

Sucuri researchers found a stealthy backdoor hidden in WordPress’s “mu-plugins” folder. These plugins auto-run and allow attackers to stay hidden in admin, and maintain persistence.

“must-use plugins” are special WordPress plugins that cannot be deactivated from the WordPress admin panel.
The experts found a malicious PHP file (“wp-index.php”) in the mu-plugins folder acting as a loader. It fetches an obfuscated (ROT13) payload, then stores it in the WordPress database under the _hdra_core option.

The backdoor writes the payload to disk and runs it. It uses ROT13, a simple, reversible letter-shift trick (e.g., “HelloWorld” → “UryybJbeyq”. Each letter is rotated 13 places in the alphabet (AN, BO, CP, etc.).) to hide its code, which is not real encryption, just basic obfuscation.

The malware decodes a ROT13 URL to fetch a base64-encoded payload, stealthily stores it in the WordPress _hdra_core option, then decodes and executes it, leaving a minimal trace. The payload, from cron.php, includes a hidden file manager (pricing-table-3.php) and creates an admin user (officialwp). It also force-installs a malicious plugin (wp-bot-protect.php) to restore the backdoor if removed.

”Alarmingly, this malware also includes a function to change the passwords of several common admin usernames (including admin, root, wpsupport, and even its own officialwp user) to a default password set by the attacker.” Reads the report published by Sucuri.

“This is a way for the attacker to regain access if the legitimate admin changes their password, or to lock out other admins.”

This malware is highly dangerous as it grants attackers full admin access, allowing them to control the site, steal data, and install more malware. It hides in mu-plugins, stores payloads in the database, and deletes traces after execution. It evades detection, reinstalls itself if removed, and allows remote command execution. Once compromised, the website can be used for broader attacks, making it a persistent and stealthy threat that’s hard to detect and remove.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)