Hackers Exploit Abandoned WordPress Plugin 'Eval PHP' to Compromise Websites

Cybersecurity firm Sucuri has uncovered a new wave of attacks targeting WordPress websites by exploiting an abandoned plugin called Eval PHP.

The plugin hasn’t been updated for more than a decade, allowing it to become a powerful tool for hackers, who use it to inject backdoors into websites to gain unauthorized access.

Eval PHP was initially designed to let users execute PHP code within their WordPress posts and pages. However, the plugin has long been considered abandonware, with its developer seemingly discontinuing updates and support. Despite its outdated status, many WordPress websites still use the plugin, leaving them vulnerable to attack.

Sucuri's discovery of the vulnerability in Eval PHP has brought renewed attention to the risks associated with abandoned plugins. They can pose significant security threats as they are not maintained, allowing attackers to exploit unpatched vulnerabilities and infect websites.

In Eval PHP’s case, hackers exploit the plugin to inject backdoors into targeted WordPress websites. Successful infections let perpetrators gain access, steal sensitive information, or completely take over websites. Threat actors often weaponize compromised websites as part of bigger attacks, such as launching distributed denial of service (DDoS) attacks or malware campaigns.

To make matters worse, the exploit’s mechanisms let attackers achieve persistence on the compromised websites, even after the plugin is removed.

“Although the injection in question does drop a conventional backdoor into the file structure, the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and stay hidden — all they need to do is to visit a ’benign‘ web page,” reads Sucuri’s security advisory.

WordPress users should immediately remove the Eval PHP plugin from their websites to mitigate the risk of compromise, replace abandoned plugins with well-supported alternatives and ensure that all installed plugins are up to date and secure.

Additionally, website owners are advised to implement strong security measures, such as using unique, complex passwords, enabling two-factor authentication, and regularly monitoring for suspicious activity.