When Your “Security” Plugin is the Hacker

-
Source: The Hacker News

Imagine installing a plugin that promises to protect your WordPress site, only to find out later that it left the door wide open for attackers. That’s exactly what’s been happening in a recent malware campaign where a fake WordPress security plugin is acting more like a saboteur than a shield.

Researchers have uncovered a plugin going by the name wp-antymalwary-bot.php, posing as a security solution while silently handing over admin access to threat actors. Once installed, it injects a stealthy backdoor into the site, letting attackers execute remote commands and manipulate content without raising any red flags. It’s a slick operation. Nothing shows up in the admin panel, and the plugin re-installs itself even after deletion, using a tampered wp-cron.php file as its anchor.

Under the Hood

The attackers aren’t just brute-forcing their way in, they’ve baked persistence into the plugin itself. Once active, the malware uses a function called emergency_login_all_admins, which essentially allows it to impersonate any admin account as long as the attacker knows the magic password. It even reaches into the WordPress REST API to spread malicious PHP code or clear caches that might otherwise alert users to its presence.

This is not your average amateur script. The codebase includes Russian-language comments, hinting at the likely origin of the developers. But attribution aside, it’s the level of control this plugin gives the attackers that’s most concerning. They can inject JavaScript, manipulate site content, and maintain full access long after the initial breach, all while the site owner is left in the dark.

What Site Owners Need to Know

When designing a website, especially one that relies on third-party plugins, it's time to double-check any installations made for "security" purposes. This recent exploit on WordPress highlights a broader trend in cybercrime: packaging malicious functionality inside tools that look helpful on the surface. It’s a digital Trojan Horse—and it’s catching people off guard.

Stick to plugins with strong reputations, recent updates, and a transparent changelogs. If something seems off—like a sudden drop in performance, strange site behavior, or unexpected admin logins—it’s time to investigate.

The bottom line? Security isn't just about what tools you install. It's about understanding how those tools behave and whether they're working for you, or against you.

References

[1] B. Toulas, “WordPress plugin disguised as a security tool injects backdoor,” BleepingComputer, Apr. 30, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/wordpress-plugin-disguised-as-a-security-tool-injects-backdoor/

[2] R. Lakshmanan, “Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers,” The Hacker News, May 1, 2025. [Online]. Available: https://thehackernews.com/2025/05/fake-security-plugin-on-wordpress.html

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks

-
Image
  A new Android malware-as-a-service (MaaS) platform named  SuperCard X   can facilitate near-field communication (NFC ) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to suggest that the service is promoted on Telegram channels. SuperCard X "employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud," security researchers Federico Valentini‍, Alessandro Strino, and Michele Roviello said. The new Android malware, the work of a Chinese-speaking threat actor, has been observed being propagated via three different bogus apps, duping victims into installing them via social engineering techniques like deceptive SMS or WhatsApp...
Read more