Thousands of WordPress sites targeted with malicious plugin backdoor attacks

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

  • Security researchers found JavaScript code installing four backdoors to WP-powered sites
  • They also found a vulnerable plugin enabling full website takeover
  • There are patches and mitigations for all these vulnerabilities

A single piece of JavaScript code deployed no less than four separate backdoors onto roughly 1,000 WordPress websites, according to a new report from cybersecurity researchers c/side, who detailed the four backdoors and explained how website builder users should protect themselves.

The analysis did not elaborate how the malicious JavaScript made it into these websites - we can assume either weak or compromised passwords, a vulnerable add-on, or similar. In any case, the code is served via cdn.csyndication[dot]com, a domain mentioned in at least 908 websites.

It deploys four backdoors. One installs a fake plugin named “Ultra SEO Processor” that can execute commands remotely, one injects malicious JavaScript into wp-config.php, one adds an SSH key to allow threat actors persistent access, and one runs commands remotely and opens a reverse shell.

Chaty Pro 10/10

To minimize the risk, c/side advises website owners delete unauthorized SSH keys, rotate their WP admin credentials, and scan system logs for any suspicious activity.

At the same time, PatchStack found Chaty Pro, a popular WordPress plugin with some 18,000 installations, was enabling malicious file uploads on websites where it was installed. Chaty Pro allows owners to integrate chat services with social messaging tools.

The flaw is tracked as CVE-2025-26776 and has a 10/10 severity score (critical). Since threat actors can use it to upload malicious files, it can lead to full website takeover, hence the critical severity. Infosecurity Magazine reports the function included a whitelist of allowed file extensions which was, sadly, never implemented.

“Uploaded file name contains the upload time and a random number between 100 and 1000, so it is possible to upload a malicious PHP file and access it by brute forcing possible file names around the upload time,” PatchStack explained.

Chaty Pro’s maintainers released a fix on February 11. All users are advised to upgrade the extension to version 3.3.4.

Via The Hacker News

You might also like

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.