09 Jun

When Plugins Are Falsely Blamed As Being The Source of a Hack

One of the things we do to make sure we are providing our customers with the best WordPress plugin vulnerability data is to monitor our websites for attempts to exploit plugin vulnerabilities. That has lead to us finding quite old vulnerabilities that were never actually fixed and recently finding quite a few vulnerabilities that hackers just discovered and started exploiting before the developer was aware of them. It has also shown that hackers will try to exploit vulnerabilities that don’t actually exist and that people will put out false reports of vulnerabilities in plugins. Something that we ran into recently also showed that people will accuse plugins of being the source of hacks when they clearly were not.

We recently had a request for the file /wp-content/plugins/tell-a-friend/tell-a-friend.php on one of our websites. That is a file from the plugin Tell a Friend, which we don’t have installed on that website. Looking into the plugin it only had one version released and only the file that contained any code was tell-a-friend.php.

The full contents of it are:

Plugin Name: Tell a Friend
Version: 0.1
Plugin URI: http://www.freetellafriend.com/get_button/
Description: Adds a 'Share This Post' button after each post. The service which is used is freetellafriend.com which supports e-mail address book, social bookmarks and favorites.
Author: FreeTellaFriend
Author URI: http://www.freetellafriend.com/
function tell_a_friend($content) {
global $post;
$taf_permlink = urlencode(get_permalink($post->ID));
$taf_title = urlencode(get_the_title($post->ID) );
$taf_img = get_settings('home') . '/wp-content/plugins/tell-a-friend/button.gif';
	if ( !is_feed() && !is_page() ) {
	$content .= '<a href="https://www.freetellafriend.com/tell/?url='.$taf_permlink.'&title='.$taf_title.'" onclick="window.open(\'https://www.freetellafriend.com/tell/?url='.$taf_permlink.'&title='.$taf_title.'\', \'freetellafriend\', \'scrollbars=1,menubar=0,width=617,height=530,resizable=1,toolbar=0,location=0,status=0,screenX=210,screenY=100,left=210,top=100\'); return false;" target="_blank" title="Share This Post"><img src="'.$taf_img.'" style="width:127px;height:16px;border:0px;" alt="Share This Post" title="Share This Post" /></a>';				  
return $content;
add_filter('the_content', 'tell_a_friend');

There isn’t anything in that looks like it could be vulnerable. All the code does is add a button to certain pages on a website.

So why would someone be sending a request for that file? A quick search brought a WordPress support forum thread “Site hacked via this plugin“, that seemed to answer that. That thread provides a link to a file that was on someone’s website under the filename. What you will see is that other than the File Headers the rest of the file is different from the real version. The code in that files  is a backdoor script, which allows a hacker remote access to a website.

What looks to have happened is that hacker happened to use this plugin for the basis of their malicious plugin. The hacker could have just as easily used any other plugin and there is nothing that could have prevented them from doing that.

That also meant that the claim in that forum thread that the site was hacked via the plugin was false, on top of that the thread was posted in the support forum for a different plugin, Tell A Friend: Share/Bookmark/Email/Social Bookmarking Button.

Another poster in thread wrote in part:

I will make sure my client does not install any more suspicious plugins without the proper research in the future, but at the same time YOU as the developer should take a look at your own code.

Apparently looking at the code themselves or even if they were commenting on the right plugin was to much to ask of them. Both of the aforementioned posters also gave the plugin one star reviews.

Over at the correct plugin someone gave it a one star review, despite acknowledging that their issue with could have been due to a plugin with the same name:

This plugin or one running under the same name was abused by a malicious third party, causing an account infection and the uploading of numerous other files.


Leave a Reply

Your email address will not be published. Required fields are marked *