A recent cybersecurity report has revealed that Eval PHP, a genuine yet outdated WordPress plugin, is being utilised by threat actors to inject stealthy backdoors into websites, thereby compromising them.

Eval PHP is a WordPress plugin that allows administrators to insert PHP code into posts and pages of WordPress template sites. The code then executes when a webpage is loaded into the web browser. However, the plugin hasn’t been updated in the last decade and is commonly considered abandonware. Despite this, it is still available in the WordPress plugin repository.

Malicious code activity uncovered

Sucuri, a website security firm, has reported a recent spike in the use of Eval PHP to embed harmful code into WordPress pages. According to their statistics, the outdated plugin now sees around 4,000 malicious installations every day.

The PHP code injections that have been detected in recent weeks deliver a payload that grants threat actors remote code execution (RCE) capabilities on the compromised WordPress site.

The malicious code is injected into databases belonging to the targeted WordPress site, specifically into the table titled: ‘wp_posts’. This approach makes it harder to detect the malicious code, as it can evade basic website security measures such as server-side scans and file integrity monitoring.

To accomplish this, threat actors use a newly created or compromised admin account to install the Eval PHP plugin, enabling them to insert PHP code directly into the posts and pages of the breached website using the short code “evalphp”.

Payload injection code impact

Once the malicious code starts to run, it adds a backdoor into the site root. The backdoor is named differently in each attack. The malicious installations of the Eval PHP plugin are triggered from several different IP addresses, including 212.113.119.6, 79.137.206.177, and 91.193.43.151. The malicious backdoor doesn’t use POST requests for Command and Control (C2) server communication to avoid detection. Instead, it transmits data via cookies along with GET requests that have no visible parameters.

Furthermore, the harmful evalphp short codes are embedded in saved drafts, which are hidden inside the SQL dump for the “wp_posts” table, and never on published posts. However, this still provides enough control to execute the malicious code designed to add the backdoor to the WordPress site’s database.

Researchers at Sucuri have highlighted the need for technology companies to delist unmaintained older plugins that can easily be used by threat actors to commit abusive and malicious activity. They have also pointed out that Eval PHP is not the only plugin representing a risk.

Until WordPress plugin repository managers decide to act, WordPress site owners are advised to secure their administrator panels and keep their WordPress installations up to date while always using a web app firewall.