Support » Plugin: WPlite » Widely exploited?

  • We don’t use this plugin. However, one of our websites has been getting LOT of contact form spam.

    IN those contact form requests, there are links to a TON of WordPress sites and the spammy links all incorporate the wplite plugin.

    Example (urls sanitized for safety):

    And about 50 of those urls in each contact request, and ALL with wplite.

    With SO many involving the WPlite plugin, I wonder if it’s been sooooo compromised?

    If so, perhaps remove it from the plugins?

Viewing 6 replies - 1 through 6 (of 6 total)
  • I agree. I’m also getting this spam and warning site owners where I can.

    The hack seems to place four php files in the /wp_lite/ folder and these are being used to distribute malware.

    Is there anywhere we can report these compromised plugins?

    Your site being hacked or targeted by spam does not necessarily mean that this plugin was responsible – even if the hackers have placed files in this plugin’s folder.

    Where hacks have occurred, you need to start working your way through these resources:

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress

    If you have hard evidence of this plugin being involved (ie you can trace attack vectors etc), then please contact plugins [at] wordpress [dot] org. I also think it worth noting that the plugin hasn’t been updated in almost 6 years and may no longer be compatible with the current version of WordPress – as the notice on warns.

    My site wasn’t exploited as I wouldn’t use a plug in that was this out of date.

    I know of an infected site that is using 3.8, so it presumably works, and of the current load of spam I am getting (which includes links into typo3 sites and sites), ALL of the WordPress sites have links in the wplite folder.

    I checked the known site on sucuri sitecheck.

    I’m trying to help others here, and not myself. None of my sites are infected.

    However there are site owners using this plug in who clearly need help, never mind those who follow the links in the spam emails and get infected by the malware.

    Since the plug in has not been updated in such a long time and is at least suspected (if not the back door) in infecting WordPress sites would it not make sense to remove it from the directory anyway? It may stop people who don’t bother to read the out of date notice opening their sites up to infection.

    Thanks for the links though. Interesting reading šŸ˜‰

    @moghillpat: Not all older plugins create issues in the current version of WordPress, so it’s not general policy to remove them.

    Also, as you are not using this plugin yourself, I don’t see how (with all due respect) you can claim that this specific plugin has been compromised. I cannot see anything obvious in the plugin’s code that looks suspicious. A far more likely explanation is that some sites have been hacked and the mail is coming from them with inserted files in the plugin’s folder possibly being used as the mechanism. There could well be other emails going out that appear to come from other plugins.

    Unless you can provide hard evidence that this plugin is acting as a vector for these emails/hacks, there’s really not a lot we can do. If you do know of infected sites, all I can suggest is that you try and persuade the owners of the sites to start de-lousing their sites. If that doesn’t work, a quiet word with their hosting provider might be in order.

    Fair enough, I guess. Just trying to prevent others from getting infected.

    However, I have seen dozens and dozens of these spam emails now, and all used wplite to store the infected files.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Widely exploited?’ is closed to new replies.