A WordPress plugin called Custom Content Type Manager has been revealed to contain a backdoor which its owner was using to access core files and steal user credentials. The plugin has been installed on over 10,000 sites in the three years it has been available, offering services for creating custom post types.
However, in the past month the plugin abruptly changed owner and released a new version, after having had no updates for the previous ten months. This new version was riddled with problematic changes, including the auto-update.php file which could download files from the server on the infiltrated website and CCTM_Communicator.php file which alerted the owner’s server when a new site became compromised.
The plugin gathered information on the infected site, recorded encrypted usernames and passwords, and sent the data to the core server, giving the owner full access as administrator to any of the infiltrated websites.
Those who have downloaded this plugin are advised to remove it immediately, downgrade core files to the standard version, and either get rid of the CCTM plugin or use the last confirmed stable version (0.9.8.6). Even if you have installed the plugin at some point but never updated it, you may have been automatically updated to this malicious version.