Unauthorized Remote Access Detected on the Official Website of a Prestigious State Higher Education Institution in Uzbekistan via a Vulnerability in a WordPress Plugin!

Today, the information systems of educational institutions, government organizations, and large corporations have become one of the most attractive targets for cybercriminals. Modern threats are now being carried out not only through system vulnerabilities but also through the software supply chain (Supply Chain). The danger of such attacks lies in the fact that cybercriminals exploit software products that are generally considered trusted and secure, gaining the ability to infiltrate information systems undetected by users.

In April 2026, reports that supply-chain attacks could be carried out through the CVE-2024-34424 vulnerability discovered in the Smart Slider 3 Pro plugin caused widespread discussion around the world. As a result of this vulnerability, multiple security breaches were recorded on numerous WordPress sites. Subsequent investigations revealed that signs of this attack were also detected on the official domain of one of the prestigious state higher education institutions in our republic, confirming several stages of the attack chain.

According to the investigation, the attack was made possible due to the compromise of the infrastructure of the Smart Slider 3 Pro plugin developer. The attackers managed to inject malicious code into plugin version 3.5.1.35 and distribute it through official update channels. As a result, sites that installed this malicious version were infected with code that provided attackers with covert server access and remote control capabilities.

This incident is a clear example of a supply-chain attack, in which attackers target not the organization directly, but the software product it uses. Consequently, the malicious code enters the system through trusted software, and users may not notice it immediately.

The analysis showed that the attack developed in stages in accordance with the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK methodologies.

Initially, the malicious plugin was installed, which placed several hidden components within the system. These included files in the mu-plugins directory, components disguised as the WordPress core, special entries in the database, as well as hidden administrator accounts.

In the next stage, the backdoor established communication with the attackers’ command server, registered the compromised site within their system, and assigned it a unique identifier. This identifier allowed the attackers to subsequently manage the site remotely, monitor it, and extract related information.

According to the analysis results, the attackers were able to execute various commands on the server remotely through HTTP request headers sent to the server. This was one of the primary mechanisms used to establish control over the server.

It was determined that specially crafted HTTP headers sent to the server could be used to execute operating system commands. This vulnerability enabled attackers to run their own commands on the server.

The backdoor operated through the X-Cache-Key and X-Cache-Status headers. Using this mechanism, attackers could execute various commands on the server, check system status, and deploy new malicious components.

Analysis of log files revealed that starting from April 14, 2026, attackers sent a series of test commands to verify the backdoor’s active status.

Following this, they executed commands aimed at gathering information about the server’s operating system, user privileges, and configuration. These actions were undertaken to explore system capabilities and plan subsequent attack stages.

During the analysis, one of the most serious incidents was recorded on April 17, 2026, when the attacker successfully created a new PHP file on the server.

This file can serve as a webshell, providing attackers with remote server management capabilities.

Additionally, on June 8, 2026, it was discovered that commands sent to the server via shell injection were executed successfully.

This indicates that the vulnerability remained unpatched for an extended period, and the attackers may have retained system access.

This data suggests that the attack was active for at least two months, during which control over the server was likely maintained.

The attackers’ objectives were not limited to mere system infiltration. The analysis revealed that a large block of hidden SEO spam had been injected into the site’s HTML code. These spam blocks contained hundreds of links to gambling and illegal bookmaker services.

Although the links were hidden from regular users, they were indexed by search engine crawlers. As a result, the university’s domain was used in an attempt to artificially boost the search engine rankings of third-party commercial resources.

Such a situation can cause serious damage to the organization’s digital reputation, reduce domain trustworthiness in search engines, and potentially lead to the domain being blacklisted in the future.

One of the most dangerous aspects of the attack is the establishment of persistence mechanisms by the attackers. According to the analysis, even after the plugin was updated, the malicious components continued to operate. Until June 8, 2026, the backdoors were responding to commands sent to the server.

This demonstrates that the issue cannot be resolved simply by updating the plugin. If malicious files, database records, or hidden administrator accounts remain, attackers can regain access to the system at any time.

To identify activity related to this incident and to check for similar attack traces in other information systems, Indicators of Compromise (IoCs) were developed.

Based on the analysis, more than 16 IP addresses associated with the attack activity were identified. These IP addresses were observed sending malicious requests to the server and were linked to the attackers’ command infrastructure. Among the identified addresses, IP 124.248.183.139 exhibited the highest level of activity, with the majority of the attack carried out through this address.

To ensure system security and prevent similar attempts in the future, it is recommended to block the following IP addresses at the level of network security devices (firewalls, WAF, and other protection systems):

124.248.183.139
119.235.222.178
129.212.238.57
143.198.223.154
104.194.9.138
118.99.99.133
157.15.40.74
182.253.173.47
93.185.162.116
128.241.254.151
13.60.54.137
5.62.16.5
38.147.173.172
173.239.196.2
13.158.77.167
160.202.35.158

Additionally, it is recommended to conduct further analysis of historical log records related to these IP addresses and to check for other connections and activities originating from them.

The presence of the following objects in the server’s file system is considered a potential indicator of compromise:

  • wp-content/uploads/wp-log.php
  • wp-content/uploads/post_files/3ckruhyoraza4thj1pzxwrapw0w.php
  • Any PHP file within the uploads directory
  • wp-content/mu-plugins/object-cache-helper.php
  • wp-includes/class-wp-locale-helper.php
  • wp-includes/.cache_key
  • _wpc_ak lines in the functions.php file.

The presence of PHP files in the uploads directory, in particular, should be regarded as a significant warning sign.

The technical analysis conducted demonstrates that ensuring the security of information systems should not be limited to a one-time expert assessment or automatic updating of software components. While regular updates to software, plugins, and libraries are important, they do not guarantee complete system protection. Therefore, it is necessary to conduct regular security monitoring, audits, and additional checks of information resources.

Furthermore, it is recommended to regularly analyze logs for early detection of potential threats, conduct monitoring based on Indicators of Compromise (IoCs), and take prompt action on identified security incidents.

Ensuring the security of information systems is a continuous process. Thus, regular monitoring, security audits, timely vulnerability remediation, and rapid incident response are critical factors in enhancing an organization’s cybersecurity posture.