Do you use a semi-popular WordPress plugin called Custom Content Type Manager (CCTM)?  If so, you will want to stop everything and change ALL your user passwords, roll back (or use the latest release) of CCTM, as well as patch a list of files compromised thanks to the new plugin user who installed a backdoor and had the plugin email him login credentials upon each site being compromised.

The plugin, Custom Content Type Manager, also known as CCTM, was a plugin with 10k+ installs that hadn’t seen an update in ten months – until last week.  It appears the plugin was either sold to a new author who promptly updated the plugin to install all kinds of nastiness to anyone who auto or manually updated the plugin, or the new author hacked ownership.

Multiple people reported being hacked after updating the plugin, as well as noticing a new admin user added to their sites, compliments of the plugin.  New reports were coming in as of a day ago.

WordPress then stepped in yesterday to roll back the plugin to its previous version, and removed the author wooranker from the plugin, to prevent new updates from being made from that user.  They posted this to assist those who had their sites compromised.

The plugin has been manually patched by the plugins Team.

Version 0.9.8.9 is clean.

Firstly, reset your passwords, do it for all user accounts. Maybe consider 2 Factor Authentication after that.

Do yourselves a favour and restore a backup if you have one.

If you do not, download the WordPress version corresponding to yours from our site and replace the wp-admin and wp-includes folders. https://wordpress.org/download/release-archive/

You also need to remove the newly added admin support@wordpresscore*com, since it will still have admin credentials even after cleaning up the other compromised files.

Sucuri also has a lot more details on how this plugin turned malicious on sites, with their step by step research once they discovered the exploit in the wild.  They also include a much more detailed version of instructions to clean it up.

It also highlights the issue that auto-updates can have – those who set their blogs to auto-update their plugins would find themselves hacked shortly thereafter, according to multiple reports from blog owners.  Because the new update would send admin login credentials to the plugin owner, he knew which sites had been corrupted with his new update.  This is in contrast to most WordPress plugin exploits that still require hackers to discover sites with the exploit.

If you use CCTM, you will want to check your site immediately and make the appropriate fixes.  The non-malicious version is 0.9.8.9 (the previous non-malicious version prior to the changes was 0.9.8.6).