[Resolved] "Contact Form 7" version 7.3.2 plugin is malicious
This plugin from the Plugin Directory is malicious:
(The malicious version is different than the real version of “Contact Form 7” at <http://wordpress.org/extend/plugins/contact-form-7/>, but unfortunately the malicious version comes up before the real version when searching for “Contact Form” in the Plugin Directory.)
When you activate the malicious one, it sends an e-mail message to “firstname.lastname@example.org”. That message contains a link to “/wp-content/plugins/contact-form-73/settings.php?wpcf7=1” on the blog where the plugin is installed. That script sets an admin-level cookie that gives the attacker full administrator access to the site.
That plugin should be removed from the Plugin Directory ASAP.
Some searching suggests this upload is a response to <http://www.maxence-blog.fr/2011/06/04/pirater-un-blog-wordpress-une-securite-dejouee/>, which is basically a post saying “hey, look, the WordPress people don’t check for malicious uploads to the plugin directory, so it’s easy to hack people’s blogs this way”.
This is alarming. If nothing else, the plugin directory should perhaps do some rudimentary sorting by download count, so that the real version of a plugin (downloaded 4 million times) appears in the results before a hacked version (downloaded a couple of thousand times) when the given name of the plugin is the same.
- The topic ‘[Resolved] "Contact Form 7" version 7.3.2 plugin is malicious’ is closed to new replies.