Tonight I came across a bizarre problem. What started out as a puzzle as to why all my sisters images in ZenPhoto were no longer showing led me on a path that ultimately exposed a pretty nasty exploit in an older version of WordPress, more specifically it’s WYSIWYG editor. TinyMCE.
It turned out that every single PHP page on my sisters domain had been injected with base64 encoded code. After decoding it became quite apparent the eval(base64_encode()) included on every PHP page exploited this file : /blog/wp-includes/js/tinymce/themes/advanced/images/xp/js.php
I then proceeded to open this file and noted, to my surprise, 1kLOC or more of base64 encoded code. I had to parse it twice to un-encode it and it suddenly became as clear as day that this modified script was responsible for injecting all my PHP files.
I have since removed WordPress from my sisters domain as she no longer uses it, but let this be a cautionery tale for anyone using an older version of TinyMCE as a WYSIWYG editor. This has nothing to do with the code core of WordPress, as far as I can tell this only affects TinyMCE which WordPress uses.
I originally posted to this forum which led me to this exploit. The thread may contain additional information in the future, so I’m included a bookmark for reference.