Hackers abuse MU plugins to inject malicious payloads to WordPress

📟 News

Date: 01/04/2025

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected.

The technique was first discovered in February 2025, but its spread rate is continuously growing, and currently attackers abuse MU plugins to run three different types of malicious code.

Must-Use Plugins represent a special type of WordPress plugins that run every time the page is loaded and don’t require activation in the Admin Panel. These PHP files are stored in the wp-content/mu-plugins/ directory, are executed automatically, and don’t appear in the Admin Panel on the Plugins page unless the Must-Use filter is selected.

Among other things, such plugins are used to enforce custom security rules across the website, boost performance, dynamically modify variables, etc.

Since MU plugins are executed on every page load and don’t appear in the standard plugin list, they can be used to covertly perform a wide range of malicious operations (e.g. steal credentials, inject malicious code, or modify HTML output).

Sucuri experts discovered three different payloads placed by cybercriminals to the MU-plugins directory:

  • redirect.php redirects visitors (excluding bots and logged in admins) to the malicious website updatesnow[.]net that displays a fake browser update prompt to trick the victim into downloading malware;
  • index.php is a web shell that acts as a backdoor by downloading and executing PHP code from a GitHub repository; and 
  • custom-js-loader.php loads JavaScript that replaces all images on the website with explicit content, hijacks all external links, and opens fraudulent pop-ups instead.

The most dangerous payload is the web shell since it enables attackers to remotely execute commands on the server, steal data, and deliver subsequent attacks on resource users and visitors.

The other two malware samples are more likely to damage the website’s reputation and its SEO rankings due to suspicious redirects and attempts to install malware on visitors’ computers.

The infection technique used by the malefactors remains unknown yet. Its assumed that the attackers exploit known vulnerabilities in WordPress plugins and themes or weak admin credentials.

Related posts:
2025.02.28 — Qualcomm extends support for Android devices to 8 years

Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage

According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →