WordPress Plugin Vulnerabilities
Uncanny Automator Pro 7.3.0.5 - Backdoor via Compromised Vendor Update Server
Description
The plugin was distributed with malicious code after the vendor's plugin update/distribution infrastructure was compromised; the injected backdoor grants unauthenticated attackers an administrator session on affected sites and beacons the site's secret keys and administrator details to attacker-controlled servers.
Affected build: 7.3.0.5 (not an official release - absent from the vendor changelog, which goes 7.3.0.4 -> 7.3.0.6). Verified-clean build: 7.3.0.6.
Indicators of compromise: the WordPress option "_wpc_uid" and transient "_wpcs"; unauthenticated requests carrying a "_wplogin" query parameter; outbound beacons to https://tidio.cc/ua/recv.php and http://84.201.6.54/ua/recv.php; and the injected init-hook code in uncanny-automator-pro.php (see PoC).
Per the vendor, removing and reinstalling the plugin alone may not fully clean an infected site. Vendor advisory: https://automatorplugin.com/security-incident-notice-uncanny-automator/