security exploit ?

[lmag]

We have many WordPress hacks with the same method 1) Creation of a user: "Beast3x" with the role "admin" 2) Addition of the extension "Melonpan Block - Container" 3) Hack the extension and upload a shell script 4) WebShellOrb 2.6 from anonymousfox.com 5) Change of Cpanel emails and informations

[garciaalvaro]

Thanks for reporting. Could you give some more context, further explain what you mean in step 3?

[lmag]

He installs this extension and once the installation is complete he manages to upload a shell in the extension files

[garciaalvaro]

Could you please let me know What version of WordPress is installed? What version of the plugin? Is the plugin being installed from the WP repository? Is there any other plugin activated or deactivated? Which is the theme installed? Does this happen in a fresh WordPress installation? Could you please further explain what does this user do in order to upload this shell script? Thank you

[lmag]

What version of WordPress is installed? Last one What version of the plugin? Version 1.3.0 Is the plugin being installed from the WP repository? Yes Is there any other plugin activated or deactivated? Yes Which is the theme installed? Made by us but we do not use your plugin Does this happen in a fresh WordPress installation? I do not know Could you please further explain what does this user do in order to upload this shell script? After installing your plugin, he upload the shell (https://www.youtube.com/watch?v=BQfInAMN9fg&feature=youtu.be)

We are not sure that your plugin is involved but it is installed on hacked WordPress. We are continuing the investigation.

[garciaalvaro]

Thank you for the information. Please update the plugin to version 1.3.1. In regards of the server-side, the plugin only has the main PHP file, which enqueues the JS script and a CSS style in the Gutenberg editor and a style in the front, using _wp_enqueuescript and _wp_enqueuestyle. Please let me know of any future news on these sites.