{"uuid": "e64d4daa-c4b5-43d9-b8a5-7e7a13bef673", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-10795", "type": "seen", "source": "https://gist.github.com/gnanet/0b305a2d339361a4d762a8fe497845be", "content": "Having faced a mystery, where wordpress/woocommerce shops went nuts, i found out i was  hit by the CVE-2026-10795\n\nIOC were:\n\n- Found an \"undeletable\" mu-plugin: `mu-plugins/turbo-watcher-x.php`\n- 2 plugins got lost: `w3-total-cache` and `woocommerce-german-market`\n- Found a new user admin_{HASH},or adm_{HASH} \n- any administrator who logged in, got automatically the same `session_tokens` additionally to it's own login\n\nSecondary IOC was inside `options` table\n\n```\nSELECT * FROM wp_options WHERE (LENGTH(option_name) = 12 AND option_name REGEXP '^[0-9a-f]+$') OR option_name like 'sc\\_%'\n```\n\nOne option_value was the key to above SQL conditions: `3.1.0|php.x-rehctaw-obrut`\n\nand an interesting option_key `sc_last_rpc` , with option_value `https://0xrpc.io/eth`\n\n\nI wanted to analyse the dropped PHP, tried lot online deobfuscators, but the biggest initial help was\n[reverse-php-malware](https://github.com/bediger4000/reverse-php-malware)\n\nIt helped me to undestand how the token collection was interpreted, how it choose values function names etc.\n\nI attached `dict-test.php` which contains an original string from the dropped-php in the comments, but running it is safe, because the re-write below the comments will only print out the obfuscated tokens/words/etc in cleartext.", "creation_timestamp": "2026-06-19T08:00:58.000000Z"}