rupok / custom-script-for-customizer Goto Github PK

Security Warning

7/18/2023 - Mackenly Jones

TL;DR This plugin doesn't appear to be vulnerable but there is a modified version of this plugin being used in attacks.

In early July 2023 I identified a malicious plugin called Custom Scripts for Customesar that redirects site visitors to malicious sites, adds administrators credentials to WordPress, and adds malicious scripts throughout the server's filesystem. The plugin is a modified version of the Custom Scirpts for Customizer (source) plugin and uses the directory name custom-scripts-for-customesar within the WP plugins directory.

Some of the malicious redirect URLs are:

• qzgxqt.com
• http://get.scriptsplatform.com/bet.txt
• http://put.clickandanalytics.com/set.php

If your site has been attacked with this malware:
First, deactivate all plugins, then update WordPress and all plugins/themes. Then, to clean up, you'll want to review your admins and remove any suspicious users, remove the plugin itself, clean up WordPress's /wp-includes/js/jquery/jquery.min.js and /wp-includes/js/jquery/jquery-migrate.min.js (the malware modifies them), remove /wp-log-{random characters}.php and /wp-content/uploads/wp-log-{random characters}.php, and mitigate any other actions takes by the plugin. Since this plugin gives the attacker admin credentials, it's safe to assume that a data leak could have taken place or other malicious actions using those credentials. You'll need to review the logs and code of your system to determine exactly what happened and what need to be fixed.

Samples have been submitted to US-CERT and Wordfence

Please contact here with the purpose of "Security" to request a sample or further information.