Cybersecurity researchers identified a new backdoor within WordPress mu-plugins, which allows attackers persistent access to sites. Unlike regular plugins, mu-plugins are not listed in the admin panel, making them harder to detect. A PHP script within the mu-plugins directory acts as a loader for additional malicious payloads stored in the WordPress database. This backdoor enables attackers to run arbitrary PHP code remotely, inject malware, create unauthorized user accounts, and modify site content, providing comprehensive control over compromised sites.
The malware leveraged in this attack operates discreetly, as mu-plugins do not appear in the regular plugin list and cannot be disabled without file deletion.
It allows threat actors to gain persistent access, execute arbitrary PHP code, and control site functionality without raising alarms.
Collection
[
|
...
]