- Security researchers found javaScript code installed four rear doors to WP-driven places
- They also found a vulnerable plugin that enabled the acquisition of full site
- There are patches and mitigation for all these vulnerabilities
A single piece of JavaScript code released no less than four separate rear doors of approx. 1,000 WordPress websites, according to a new report from cybersecurity scientists C/Side, which detailed the four back doors and explained how site -building users should protect themselves.
The analysis did not elaborate on how the malicious JavaScript came into these sites – we can assume either weak or compromised passwords, a vulnerable addition or the like. In any case, the code is served via CDN.Csyndication[dot]com, a domain mentioned on at least 908 sites.
It exposes four back doors. One installs a false plugin called “Ultra SEO processor” that can perform commands externally, an injection of malicious javascript in wp- config.php, an adds an SSH key to give threat actors sustained access, and you run commands reverse and open a reverse shell.
Chaty Pro 10/10
To minimize the risk advises C/Side Website Owners Deleting Unauthorized SSH key, rotates their WP -ADMIN GIFIRATION INFORMATION AND SECURAL SYSTEM LOGS FILES for any suspicious activity.
At the same time, Patchstack Chaty Pro, found a popular WordPress plugin with approx. 18,000 installations, activated malicious file uploads on sites where it was installed. Chaty Pro allows owners to integrate chat services with social messaging tools.
The error is traced as CVE-2025-26776 and has a 10/10 severity (critical). Since threat actors can use it to upload malicious files, it can lead to full takeover of sites, and thus the critical difficulty. Infosecurity Magazine Reports The feature included a whitelist of allowed file extensions which unfortunately was never implemented.
“Uploaded file name contains the upload time and a random number between 100 and 1000, so it is possible to upload a malicious PHP file and access it by briding forcing possible file names around the upload time,” Patchstack explained.
Chaty Pro’s maintenance released a solution on February 11th. All users are advised to upgrade the extension to version 3.3.4.
Via Hacker the news
