- Security researchers have found the JavaScript code by installing four wanderings on sites powered by WP
- They also found a vulnerable plugin allowing complete takeover of the website
- There are fixes and attenuations for all these vulnerabilities
A single JavaScript code has deployed no less than four separate deadlines on around 1,000 WordPress websites, according to a new report by C / Side cybersecurity researchers, which detailed the four waste and explained how users of the web manufacturer should protect themselves.
The analysis did not explain how the malicious javascript did these websites – we can assume low or compromise passwords, a vulnerable or similar add -on module. In any case, the code is served via CDN.csyndication[dot]com, an area mentioned in at least 908 websites.
It deploys four baths. We install a false plugin called “Ultra SEO processor” which can execute remote controls, we inject a malicious javascript in wp-config.php, we add an SSH key to allow the threat actors a persistent access, and we perform remote controls and opens an inverted shell.
Chatty Pro 10/10
To minimize the risk, C / Side advises websites to delete unauthorized SSH keys, to rotate their WP administration identification information and to scan the systemal newspapers for any suspicious activity.
At the same time, Patchstack found Chaty Pro, a popular WordPress plugin with some 18,000 installations, allowing downloads of malware on websites where it was installed. Chaty Pro allows owners to integrate cat services with social messaging tools.
The defect is followed as CVE-2025-26776 and has a 10/10 (critical) gravity score. Since threat stakeholders can use it to download malware, this can lead to a complete takeover of the website, hence critical gravity. Infosecurity magazine Reports The function included a white list of authorized file extensions which were unfortunately never implemented.
“The downloaded file name contains the download time and a random number between 100 and 1000, so it is possible to download a malicious PHP file and access it by forcing the possible file names around the download time,” said Patchstack.
Chaty pro officials published a correction on February 11. All users are invited to upgrade the extension to version 3.3.4.
Via The Hacker News
