Three Plugins Backdoored in Supply Chain Attack
by Dan Moen , Wordfence.com
December 27, 2017

In the last two weeks, the WordPress.org repository has closed three plugins because they contained content-injection backdoors. “Closing” a plugin means that it is no longer available for download from the repository, and will not show up in WordPress.org search results. Each of them had been purchased in the previous six months as part of the same supply chain attack, with the goal of injecting SEO spam into the sites running the plugins.

Duplicate Page and Post

URL: https://wordpress.org/plugins/duplicate-page-and-post/
Active Installs: 50,000+
Current Owner: pluginsforwp (joined WordPress.org July 10, 2017)
Sold Date: August 2017
Removed from WordPress.org date: December 14, 2017
The original plugin author responded to our request for information on the sale of the plugin, confirming that they did indeed sell the plugin to a person named Daley Tias in the summer of 2017. However, we were unable to find any record of a person name Daley Tias online. The original plugin author has not shared the purchase solicitation message with us at the time of this writing.


No Follow All External Links

URL: https://wordpress.org/plugins/nofoll...xternal-links/
Active Installs: 9,000+
Current Owner: gearpressstudio (joined WordPress.org March 17, 2017)
A company called Orb Online in West Sussex, UK made the payment for the plugin. A quick Google search leads us to their website: “Orb Online is a UK based digital marketing agency, specialising in SEO, eCommerce and Magento web development.”

WP No External Links

URL: https://wordpress.org/plugins/wp-noexternallinks/
Active Installs: 30,000+
Current Owner: steamerdevelopment (joined WordPress.org June 29, 2017)
The same person (or alias), Daley Tias, purchased both the Duplication Page and Post and WP No External Links plugins. Payment was received from Orb Online, with contact email address of info@orbonline.co.uk. This is also the same company that paid for the No Follow All External Links plugin.

Read more...