Hidden code gives plugin developers admin access to WordPress sites

Developer Pipdig denies any wrongdoing

Users have been left wondering whether they should continue trusting their own WordPress site, after it was revealed that software developers had administrative access to sites through code hidden behind a popular plugin.

On Friday, Pipdig Power Pack (P3), the plugin in question, was reported to have a number of “backdoors” obfuscated within its code, which according to security researchers at Wordfence, had been installed in up to 15,000 sites.

Most of the issues have been resolved in the latest version of the plugin, 4.8.0, and users are advised to update their software immediately.

Reports by both Wordfence and Jem, an independent blogger, highlighted how the plugin was granting its developers – UK-based Pipdig – administrative access to all WordPress sites running the software via a hidden password reset function.

The plugin also allegedly bundled the ability to run denial-of-service (DDoS) attacks, and even delete entire websites remotely, unbeknownst to users.

“While we’re stopping short of recommending removing the software, serious consideration should be given on whether to treat Pipdig as a trustworthy vendor going forward,” Wordfence said in a blog post.

“Given the dubious nature of the code present in the previous version and obvious efforts to obscure it, Pipdig’s intentions remain unclear”

In a blog post published yesterday, Pipdig denies ever intending to harm to its users, and highlighting how an older version of P3 was able to reset a site back to its default settings – a feature which others have described as a “kill switch”.

This function, Pipdig claimed, was made available following a security incident in July 2018.

“Last year we had some serious problems after someone obtained a huge list of license keys and downloaded all of our products,” Phil Clothier, Pipdig’s creative director, told Wordfence.

“The keys and files were then distributed on their file sharing site, which has since been taken down (not by us, ironically!). The drop tables function was put in place to try to stop this at the time.”

It is unclear whether Pipdig announced the issuing of a patch, or indeed if all issues have in fact been remediated with version 4.8.0.

Wordfence plans to launch a WordPress dashboard notification in order to inform users that have the P3 plugin on their systems.

“It’s understandable that Pipdig may not want to draw attention to these issues, but disclosing the existence of a security release is ethically important,” Wordfence said.

The Daily Swig has reached out to Pipdig for comment.