Take the “Is Human” WordPress plugin, for example.
It’s no longer available for download, no longer supported by its developers, and yet cybercriminals are still scanning websites hoping that someone still has it installed.
Why? Because versions 1.4.2 and earlier suffer from a remote command execution vulnerability. Below is a write-up from the corresponding exploit-db entry:
The vulnerability exists in /is-human/engine.php.
It is possible to take control of the eval() function via the ‘type’ parameter, when the ‘action’ is set to log-reset. From here we can run out own code.
In order to avoid any errors we point the $is_hum->get_* array variable into $is_hum->get_ih and to close the execution without error we point it to php stored function error_log(). In between we may place our own php code and use the passthru() function to execute commands.
Execution running the linux whoami command:
We recently experienced attempts to exploit said vulnerability on our website, all of which failed because we don’t use this plugin – not to mention they used the incorrect filepath. All attempts originated from the same (U.S.-based) IP address:
The base64_ decoded text is:
Obviously this post serves as a warning to anyone that may still have this plugin installed on their WordPress website. Cybercriminals will attempt to exploit any vulnerability – old or new – to cause mischief and mayhem.
WordPress is a popular CMS, and it’s important that anyone running it keeps the platform and any installed plugins up-to-date.