Managing multiple WordPress sites can be stressful. With the average WordPress site running 22 plugins, it’s crucial that every vulnerability is accounted for. That’s why we’re thrilled to announce our partnership with MainWP, bringing you two new Jetpack extensions in the MainWP marketplace. With this new agreement in place, managing multiple WordPress sites has never been easier.
Recently our colleague Joshua Goode escalated to the Security Research team an investigation he was performing on several websites that presented the same indicators of compromise. There were small variations in what the final payload was, but the attack timeline was always the same.
Attack timeline
As Joshua initially pointed out and subsequently confirmed by me, the chain starts with the installation of the core-stab plugin, followed by other additional items. The following timeline depicts one of the many compromised sites we reviewed:
Jan 10, 2023 @ 17:29:49.587 UTC – Core stab plugin upload – /wp-admin/update.php?action=upload-plugin
Jan 10, 2023 @ 17:29:52.270 – /wp-content/plugins/core-stab/index.php
Jan 11, 2023 @ 02:12:50.773 – /wp-admin/theme-install.php?tab=upload
Jan 11, 2023 @ 03:37:58.870 – Another core-stab install
Jan 11, 2023 @ 04:15:06.014 – Installation of a new plugin, task-controller, /wp-content/plugins/task-controller/index.php
Jan 11, 2023 @ 08:23:26.519 – Installation of WP File Manager (Unsure if by attacker but this plugin is typical with a lot of malware)
The most common “coincidence” is that all users involved in this attack had their emails listed on at least one public password leak since 2019, which only corroborates the overall findings: the attacker(s) used compromised or leaked accounts to install the malware.
You can find more details on how the core-stab malware works, as well as detailed detection and blocking information for WP security experts, via WPScan.
What to do if my site was infected?
If you find the core-stab plugin installed on your site, the first thing you should do is remove it and then follow these next steps: