Important Vulnerability on Advanced Custom Fields Plugin for WordPress

During a routine review of Proactive Defense events, our security team noticed widespread activity from what appeared to be a WordPress optimization plugin called "WP Content Optimizer." The plugin header claimed version 3.0.2, authored by "Developer Tools Team," providing "advanced content delivery optimization and site health monitoring."

None of that was true. The plugin is a sophisticated backdoor packed into roughly 1,100 lines of PHP. It creates a hidden administrator account, makes itself invisible, removes security plugins, fights off competing malware, persists through deletion attempts, and delivers encrypted JavaScript payloads fetched from a Binance Smart Chain smart contract.

This post walks through the malware step by step: what it does, how it works, and why it makes the choices it does. We're publishing the full Indicators of Compromise so defenders can check their own environments.

In the rapidly evolving world of cybersecurity, numbers tell a powerful story. For Imunify360, these numbers highlight not only our success but also the vital role we play in keeping websites secure across the globe

For years, cybersecurity has been reactive - incidents were identified and remediated after discovery. But having a reactive strategy means that you often clean up after the damage has already been done. It only takes a few minutes for attackers to exfiltrate data, so a reactive strategy is no longer the best practice due to the massive revenue loss after a breach. Instead, organizations should push towards a proactive approach to stop attackers before they can do any damage and steal data. The article covers the following topics:

The Imunify team is happy to report that we achieved another performance improvement. This time it relates to the Proactive Defense module and Real-time AV scanner.

On December 6th, the Imunify360 team released an improved set of rules for Proactive Defense. The rules are destined to enhance the overall performance of the server. At this time, we already see an average load decrease on servers running Imunify360 as well as significantly lower response time (see Figure 1).

Frequently during an investigation of malicious activity, we face infections that spread through the attack vector that could not be covered by plain WAF rule. For instance, it is possible when

• • a user uploads the “nulled” theme or plugin from an untrusted source which already has malware and could append injection to the application’s core files after installation, or
  • the attacker gains access to the server with a stolen FTP, SSH, cPanel, WHM password. Read our new article with best practices on how to stay on top of cpanel security.