Malicious actors are exploiting a vulnerability in WordPress sites by utilizing the “mu-plugins” directory to conceal malicious code, allowing them to maintain persistent remote access and redirect site visitors to fake websites.
The term “mu-plugins” refers to must-use plugins, which are located in a special directory (“wp-content/mu-plugins”) and are automatically executed by WordPress without needing to be enabled through the admin dashboard. This makes the directory an attractive location for malicious actors to stage malware.
According to Sucuri researcher Puja Srivastava, “this approach represents a concerning trend, as mu-plugins are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to overlook during routine security checks,” as stated in an analysis.
In incidents analyzed by the website security company, three types of malicious PHP code have been discovered in the directory:
- “wp-content/mu-plugins/redirect.php,” which redirects site visitors to an external malicious website
- “wp-content/mu-plugins/index.php,” which provides web shell-like functionality, allowing attackers to execute arbitrary code by downloading a remote PHP script hosted on GitHub
- “wp-content/mu-plugins/custom-js-loader.php,” which injects unwanted spam onto the infected website, likely to promote scams or manipulate SEO rankings, by replacing all images on the site with explicit content and hijacking outbound links to malicious sites
The “redirect.php” script disguises itself as a web browser update to trick victims into installing malware that can steal data or drop additional payloads.
Srivastava explained, “the script includes a function that identifies whether the current visitor is a bot, allowing it to exclude search engine crawlers and prevent them from detecting the redirection behavior.”
This development comes as threat actors continue to use infected WordPress sites as staging grounds to trick website visitors into running malicious PowerShell commands on their Windows computers under the guise of a Google reCAPTCHA or Cloudflare CAPTCHA verification, a tactic known as ClickFix, to deliver the Lumma Stealer malware.
Hacked WordPress sites are also being used to deploy malicious JavaScript that can redirect visitors to unwanted third-party domains or act as a skimmer to siphon financial information entered on checkout pages.
The method used to breach the sites is currently unknown, but common vulnerabilities include vulnerable plugins or themes, compromised admin credentials, and server misconfigurations.
A recent report from Patchstack revealed that threat actors have routinely exploited four different security vulnerabilities since the start of the year, including:
- CVE-2024-27956 (CVSS score: 9.9) – An unauthenticated arbitrary SQL execution vulnerability in WordPress Automatic Plugin – AI content generator and auto poster plugin
- CVE-2024-25600 (CVSS score: 10.0) – An unauthenticated remote code execution vulnerability in Bricks theme
- CVE-2024-8353 (CVSS score: 10.0) – An unauthenticated PHP object injection to remote code execution vulnerability in GiveWP plugin
- CVE-2024-4345 (CVSS score: 10.0) – An unauthenticated arbitrary file upload vulnerability in Startklar Elementor Addons for WordPress
To mitigate these threats, it is crucial that WordPress site owners keep plugins and themes up to date, regularly audit code for malware, enforce strong passwords, and deploy a web application firewall to block malicious requests and prevent code injections.
