Security Warning
7/18/2023 - Mackenly Jones
TL;DR This plugin doesn't appear to be vulnerable but there is a modified version of this plugin being used in attacks.
In early July 2023 I identified a malicious plugin called Custom Scripts for Customesar that redirects site visitors to malicious sites, adds administrators credentials to WordPress, and adds malicious scripts throughout the server's filesystem. The plugin is a modified version of the Custom Scirpts for Customizer (source) plugin and uses the directory name custom-scripts-for-customesar
within the WP plugins directory.
Some of the malicious redirect URLs are:
qzgxqt.com
http://get.scriptsplatform.com/bet.txt
http://put.clickandanalytics.com/set.php
If your site has been attacked with this malware:
First, deactivate all plugins, then update WordPress and all plugins/themes. Then, to clean up, you'll want to review your admins and remove any suspicious users, remove the plugin itself, clean up WordPress's /wp-includes/js/jquery/jquery.min.js and /wp-includes/js/jquery/jquery-migrate.min.js (the malware modifies them), remove /wp-log-{random characters}.php and /wp-content/uploads/wp-log-{random characters}.php, and mitigate any other actions takes by the plugin. Since this plugin gives the attacker admin credentials, it's safe to assume that a data leak could have taken place or other malicious actions using those credentials. You'll need to review the logs and code of your system to determine exactly what happened and what need to be fixed.
Samples have been submitted to US-CERT and Wordfence
Please contact here with the purpose of "Security" to request a sample or further information.