When WP_CLI runs Wordpress from the command line, are hooks called?

Yesterday, I found out that a website I worked on as a writer (I have no admin access) had been injecting malicious Javascript code in all its pages, as described in this article by Luke Leal.

According to that article, a fake Wordpress plugin musts have been installed on that website to inject the malicious code.

I want to draw your attention to this section of the malicious code:

// This code is defined inside a PHP class...
function save_striplple_plugin() {
    global $wp_list_table;
   $h = array('wp-striplple/wp-striplple.php');
    $myplugins = $wp_list_table-items;
    foreach ($myplugins as $key = $val) {
        if (in_array($key,$h)) {
        unset($wp_list_table-items[$key]);
        }
   }
    
}

public function striplple_start(){
    ...
    add_action('pre_current_active_plugins', [$this, 'save_striplple_plugin']);
}

The second method adds the first method to the pre_current_active_plugins hook. According to the official documentation, that hook runs before creating a list of the installed plugins; not the active plugins, the installed plugins.

The first method runs when that action is called and deletes the fake plugin from the list of installed plugins.

So, I wondered how we could create a list of the installed plugins on a website that could not be manipulated by an attacker. A first way, from the top of my head, is to access the website through the FTP and see what's in the /plugins folder.

Then I wondered if WP_CLI would show us this fake Wordpress plugin in the list of plugins. Although I've used WP_CLI before, I don't think I really understand its inner processes and how it interacts with a Wordpress installation.

When WP_CLI runs Wordpress from the command line, are hooks called? Would a list of plugins generated with WP_CLI be manipulated by this fake Wordpress plugin?

Topic wp-cli hooks Wordpress

Category Web

1
answered at

WP CLI will run plugins by default, so any hooks used in active plugins would be run.

You can tell WP CLI to not run the active plugins, though. To get the full list of plugins, even if a malicious plugin tries to hide itself, the following should work:

wp plugin list --skip-plugins

(Caveat: any must-use plugins will still be loaded. To disable MU plugins, you'd need to remove them from the wp-content/mu-plugins directory.)

--skip-plugins is a global parameter, so you should be able to use it on any wp * command. --skip-themes is also available.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.