Do you use Captcha, the WordPress plugin from BestWebSoft? You might want to scan it now because the plugin has been found to carry a backdoor script in its recent update.
Unfortunately, this plugin was pretty popular on WordPress official site and had been downloaded more than 300K times world over. Also, since it came from a reputed developer (BestWebSoft), this threat remained undetected for most part – until now.
The WordPress official team has removed this plugin from the official WordPress Plugins repository, and also provided a clean version for affected customers.
Known only as Captcha, the plugin was one of the most popular CAPTCHA plugins on the official WordPress site and was the work of a well-established plugin developer named BestWebSoft, a company behind many other popular WordPress plugins.
How did it happen?
Just like what happened with many other WordPress plugins, this is what happened.
Free plugin gets extremely popular, gets installed on many websites, third party buys the plugin, injects backdoor script in the very next update.
This plugin was sold in September, and the backdoor was slipped in the latest update.
We’ve seen this happen with some popular SEO plugins too, in the past.
Well, better late than never. If you’ve been using this plugin, make sure you get a cleaner, updated version, just to be sure.