MalwareGone Threat Analysis – MulCiShell Backdoor and File Uploader – Part II

This is the second part of our exploration MulCiShell Backdoor and File Uploader, a malicious PHP Web Shell that was detected on a customer’s website using CodeGuard’s MalwareGone tool. If you haven’t already, take a look at Part I before continuing. In this post, we’ll wrap things up by discussing the vulnerabilities that were found on this site, which may have allowed the MulCiShell Backdoor and File Uploader to be inserted. To pick up where we left off before, here is a list of installed WordPress plugins installed on the hijacked site:



A search on the WPScan Vulnerability Database reveals a number of public vulnerabilities for some of these plugins. Here are a few examples:

  1. WordPress Plugin: Akismet

Version installed: 3.0.4

Vulnerability:  Unauthenticated Stored Cross-Site Scripting (XSS)

Versions affected: Akismet 2.5.0-3.1.4


2. WordPress Plugin: iThemes Security (formerly Better WP Security)

Version installed:  5.6.1

Vulnerability: Unauthenticated Stored Cross-Site Scripting

Versions affected: <= 5.6.1


Both of these vulnerabilities are Cross-Site Scripting aka XSS. But do you know what XSS is? According to the highly regarded Open Web Application Security Project, OWASP –

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. 

Okay, but what does that really mean? To put it simply, it means that if there is an XSS vulnerability in your web application an attacker can inject code (usually JavaScript) that affects other users when they visit your site or click on a malicious link crafted by the attacker. XSS is considered the third most frequent vulnerability on web applications according to OWASP’s list of the 10 most common web application risks. Generally speaking, there are three kinds of XSS:

  • Stored or Persistent – when the malicious code is stored in the site’s database
  • Reflected – when the malicious code comes within the victim’s request
  • DOM-based – when the vulnerability is in the client-side, that is the Document Object Model of the browser



Persistent XSS Example – Source:

With this kind of vulnerability, attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert malicious content, redirect users to vulnerable websites, etc. We believe that the attacker was able to exploit one of these vulnerabilities to inject code on the client’s site and with that they were able to upload the malicious files we saw in the first part of this post. This is why it’s important as website owners to keep all of your systems updated and, of course, to have a backup strategy like CodeGuard in place just in case things do go wrong.

If you have any questions or comments don’t hesitate to send them to us! See you next time!


OWASP Foundation –

OWASP Appsec Tutorial Series – Episode 3: Cross Site Scripting (XSS) –

XSS vulnerability in iThemes Security (formerly Better WP Security) 5.6.1 –

Akismet 3.1.5: Security Release


Leave a comment

Your email address will not be published. Required fields are marked *