- Security researchers found the JavaScript code by installing four rear doors on places with WP
- They also found a vulnerable complement that enables the full acquisition of the website
- There are patches and mitigations for all these vulnerabilities.
A single piece of JavaScript code deployed no less than four separated rear doors in approximately 1,000 WordPress websites, according to a new report by cybersecurity researchers C/Side, which detailed the four rear and explained how users of the website builder must protect themselves.
The analysis did not elaborate how the malicious JavaScript reached these websites; We can assume weak or compromised passwords, a vulnerable or similar complement. In any case, the code is served through CDN.CSyndion[dot]com, a domain mentioned in at least 908 websites.
Implement four rear doors. One installs a false complement called “Ultra Seo processor” that can run remote commands, malicious javascript is injected into WP-Config.php, an SSH key is added to allow threat actors to have persistent access and one executes commands remotely and opens a reverse shell.
Chaty Pro 10/10
To minimize the risk, C/SIDE advises the owners of the website to eliminate unauthorized SSH keys, rotate their WP administration credentials and scan system records for any suspicious activity.
At the same time, Patchstack found Chaty Pro, a popular WordPress complement with about 18,000 facilities, allowed malicious file loads on websites where it was installed. Chaty Pro allows owners to integrate chat services with social messaging tools.
The defect is tracked as CVE-2025-26776 and has a gravity score of 10/10 (critic). Since threat actors can use it to load malicious files, they can lead to the complete acquisition of the website, hence the critical gravity. Infosecurity magazine It reports that the function included a white list of allowed file extensions that, unfortunately, was never implemented.
“The loaded file name contains the load time and a random number between 100 and 1000, so it is possible to load a malicious PHP file and access it by forcing possible file names around the load time,” Patchstack explained.
Chaty Pro maintainers launched a solution on February 11. All users are recommended to update the extension to version 3.3.4.
Through The hacker news
