wpuser_X Administrator Exploit / Hack in WordPress PublishPress Capabilities Plugin

Security challenges are popping up everywhere, and the latest hacker has been found exploiting a vulnerability in a plugin WordPress on top of that, it's designed to limit users' access to capabilities WordPress and better control their permissions.

If you have a blog, online store, running presentation site WordPress and the module PublishPress Capabilities, it is good to check if not in DashboardUsersAll UsersAdministrator, there are no users you don't know and most of the time with a form name "wpuser_sdjf94fsld".

wpuser_ Hack WordPress
wpuser_ in Administrator

I came across this hack on several online stores and I quickly came to the conclusion that their only common element is plugin PublishPress Capabilities, which presents a vulnerability that allows the addition of a user with a rank of Administrator, without the need for a standard registration process.

On some sites WordPress affected, the attackers were content only to add new users with administrator rank, without doing any damage. Or maybe they didn't have time.
Others, on the other hand, were made redirects of WordPress Address (URL) and / or Site Address (URL) to external pages and most likely viruses. A sign that those who launched these attacks had little mind. That's the best part about security.
Of course, it is not a pleasure to wake up that the online store, website or blog are redirected to other web addresses, but the good part is that at the moment whoever took control, has not done any other damage. Kind of, deleting content, injecting spam links into the whole database and other crazy things. I don't want to give ideas.

How do we resolve the security issue if we have been affected by the wpuser_ exploit on WordPress?

We take the scenario in which the blog WordPress was affected by the "wpuser_" hack and redirected to another web address. So clearly you can no longer log in and get in the Dashboard.

1. We connect to the database of the affected site. Via phpMyAdmin or whatever management path each has. The database authentication data is located in the file wp-config.php.

define('DB_USER', 'user_blog');
define('DB_PASSWORD', 'passworddb');

2. Go to “wp_options"And on the column"optons_value"We make sure it is the correct address of our site at"siteurl"And"home".

From here it is practically redirected to another address. Once you change the address of the website, it will be accessible again.

3. All in “wp_options”We check that the admin email address has not been modified as well. We check at “admin_email”To be the right one. If it is not the correct one, we modify it and pass the legitimate address. Here I found "admin@example.com".

4. Go to the Dashboard and do it update urgent plugin PublishPress Capabilities or disable it and delete it from the server.

5. In DashboardUsersAll UsersAdministrator we delete illegitimate users with the rank of Administrator.

6. We change the passwords of legitimate users with rights to Administrator and database password.

It would be advisable to install and configure a security module. Wordfence Security provides sufficient protection in the free version for such attacks.

I didn't spend much time looking for where the vulnerability was PublishPress Capabilities, but if you have infected site with this exploit, can help you get rid of it. Comments are open.

Passionate about technology, I enjoy writing on StealthSettings.com since 2006. I have a rich experience in operating systems: macOS, Windows, and Linux, as well as in programming languages and blogging platforms (WordPress) and for online stores (WooCommerce, Magento, PrestaShop).

1 thought on “wpuser_X Administrator Exploit / Hack in WordPress PublishPress Capabilities Plugin ”

Leave a Comment