Recently the security news outlet Bleeping Computer ran a story from Bill Toulas with the headline “New Linux malware uses 30 plugin exploits to backdoor WordPress sites”, but the only cited source for the story, Doctor Web stated that it was likely more than three years old (emphasis ours):

revealed that it could be the malicious tool that cybercriminals have been using for more than three years

The post went on to claim that development of the malware is “active at the moment”:

The new add-ons targeted by the new variant indicate that the development of the backdoor is active at the moment.

Looking at the plugins being referenced in the “new” variant. Two of them had vulnerabilities we warned about when hackers were likely targeting vulnerabilities in them back in 2019. That would be in line with it being years old and not an indication of active development.

It appears the author of the story didn’t do basic due diligence, as one of the plugins they mentioned as being impacted is “Faceboor Live Chat by Zotabox”. Beyond the typo with Facebook (which comes from Doctor Web’s post). It doesn’t appear there is a WordPress plugin with that name. It appears that might be referring to a plugin named FB Messenger Live Chat developed by Zotabox.

We separately reached out to Bill Toulas and Bleeping Computer for comment on those issues yesterday, but we have received no response so far.

Lack of Newsworthiness

There doesn’t really appear to be a news story here. That hackers were trying to exploit vulnerabilities in WordPress plugins years ago isn’t really something worth writing about now, which might explain the claim this was new.

There isn’t even basic information on what versions were supposed to be impacted, which might have provided at least a little bit of news value from this.

What we frequently see is that other news outlets run with story based on Bleeping Computer stories. Those are often spreading inaccurate information from their stories in the process. Google News also plays a role in this, as they include Bleeping Computer’s inaccurate stories and other stories copied from them. Google inexplicably doesn’t provide a mechanism for reporting news outlet running false that are included in Google News.

Another prominent news outlet, Ars Technica, outlet ran with this despite lack of newsworthiness, with this underwhelming headline: “Hundreds of WordPress sites infected by recently discovered backdoor“.

Developers Dealing With Fallout of This

In our monitoring of the WordPress support forum for information on vulnerabilities in plugins, we have been seeing the fallout from this, with people being concerned in ways they shouldn’t. For example, a person assumed there was unfixed vulnerability being exploited in one of the mentioned plugin:

Recent, vulnerability found in WordPress and WP-Piwik is one of the plugins witch could be Hack and let non-autorised user to inject code. Do you planned to make an security Update ?

The vulnerability being targeted was likely this one, which we warned about back in 2016. That was also fixed in 2016.

Another example involved someone expecting that a developer would have provided a response (to something that happened years ago):

I’ve been using this plugin for years, in a limited capacity, and I enjoy its features. However, a recent backdoor found in 30 WP plugins (including this one) is causing me some concern. I’m hoping the Dev posts something at the forum regarding the issue because I haven’t seen a pinned response as yet.