New Exploit In WordPress

A friend noted that he was experiencing weird behavior when he surfed my site. Whenever he clicked a link on my site, provided he’d visited FriendFeed previously, he would randomly be redirected to This is apparently a new exploit of WordPress that has arisen in the past week or so. I’m running WordPress 2.5.0.

The exploit is simple – it registers itself as an active plugin in your WordPress installation. To disguise itself slightly, the PHP code for this plugin is held in an image file. A quick look in the wp_option database should allow you to identify a plugin you don’t recognize. To do this:

  1. Login to your instance of MySQL: mysql <database name> -u <username> -p -h <database server>
  2. Find the active plugins registered in WordPress: select option_value from wp_options where option_name='active_plugins';
  3. Look for a plugin you don’t recognize: You should probably be able to figure out which plugins are which, based on their names – look for a plugin which is an image file.

For example, in my case an active plugin had been registered that was held in an image file called “rtl_old.jpg”. The result of looking at the active_plugins entry in wp_options:


Clever eh? I’m not clear on the mechanics by which this plugin is hidden from the Plugins panel of the WordPress, but nevertheless, the result is that you won’t be able to remove this malicious plugin from the WordPress admin panel. To remove the plugin, you’ll have to manually update the active_plugins entry for option_value.

You’ll need to craft a new value for option_value. Note that the entry encodes the data as an array of sorts (I’m not a big PHP guy, so I don’t know if this is standard practice or not). The “a:” entry specifies the length of the array, and the “i:” entry for each plugin specifies its location in the array. To remove the malicious plugin, I altered my option_value to the following:


To effect the necessary change in MySQL:

  1. Login to your instance of MySQL: mysql <database name> -u <username> -p -h <database server>
  2. Update the option_value entry: UPDATE wp_options SET option_value = '<new value for option_value>' WHERE option_name='active_plugins';

I’m curious about the content of the rtl_old.jpg file, but that can be dissected later. For now, these instructions should get you back on track and remove the malicious plugin.