Attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors.
Eval PHP is an old WordPress plugin that allows site admins to embed PHP code on pages and posts of WordPress sites and then execute the code when the page is opened in the browser.
The plugin has not been updated in the past decade and is generally considered abandonware, yet it is still available through the WordPress plugins repository.According to website security firm Sucuri, the trend of using Eval PHP to embed malicious code on seemingly innocuous WordPress pages surged in April 2023, with the WordPress plugin now having an average of 4,000 malicious installations per day.The main advantage of this method versus conventional backdoor injections is that Eval PHP may be reused to reinfect cleaned sites while keeping the point of compromise relatively hidden.
PHP code injections detected over the last couple of weeks deliver a previously documented payload that gives the attackers remote code execution capabilities over the compromised site.
The malicious code is injected into the targeted websites’ databases, specifically into the ‘wp_posts’ table. This makes it harder to detect as it evades standard website security measures like file integrity monitoring, server-side scans, etc.To do that, the threat actors use a compromised or newly created administrator account to install Eval PHP, allowing them to insert PHP code into pages and posts of the breached site using [evalphp] shortcodes.