Some weeks ago a critical unauthenticated privilege escalation vulnerability was discovered in old, unpatched versions of the wp-user-avatar plugin. It also allows for arbitrary file uploads, which is where we have been seeing the infections start. This plugin has over 400,000 installations so we have seen a sustained campaign to infect sites with this plugin installed. In this post I will review a common infection seen as a result of this vulnerability in the wp-user-avatar plugin. If you have this plugin on your website be sure to update it straight away!
Uploading a Backdoor to a Website
First off, as is typical in such malware campaigns, the attackers start by uploading a backdoor to the website. With this infection they have been abusing the upload functionality of the wp-user-avatar plugin. The files tend to be located in the following directories used by this plugin:
./wp-content/uploads/pp-avatar ./wp-content/uploads/pp-files Here's an example backdoor that we have...