Following the isolated incident affecting the DataForSEO website and its WordPress admin panel on March 26, and now that the root causes of this situation have been fully resolved, we would like to share the details about what happened, how we fixed it, and what steps we’re implementing right now to prevent similar incidents from happening in the future.
What happened?
At 03:33 (UTC) on March 27, we received a report from one of our customers about the suspicious modification of the public-facing content of the DataForSEO website, signalling unauthorized access to the WordPress Admin Panel and highlighting potential vulnerabilities in the Flamingo WordPress plugin.
We are committed to protecting our users, so the issue was treated with the highest priority and addressed immediately.
As part of the investigation of the incident, we were able to identify the attacker and confirm they used the Flamingo WordPress Plugin to inject a script executed in the admin session context and exfiltrate the session cookie to xss.report — a public XSS reporting platform. Using the stolen session, the attacker planted a persistence token in the database and, on March 26, uploaded and activated a plugin (hseo.zip) that deployed two remote webshells (ShellBot 2.0).
Our investigation confirmed that no DataForSEO user data was compromised and that the incident was isolated on the website; no other DataForSEO web infrastructure was affected.
Just three hours after receiving the report and confirming the incident (06:45 UTC, March 27), our team restored the security and functionality of the DataForSEO website and its WordPress Admin Panel, eliminating the root causes of the incident.
Attack Execution Timeline
| Time (UTC) | Event |
| 00:20, 04:00, 06:25 | POST /xmlrpc.php with UA PHP/6.3.86, PHP/7.2.46, PHP/5.3.27 — 403, blocked |
| 18:05:45 | GET /sh6800174088729988711268?al=true — 404, previous webshell already removed |
| 18:05:46–18:05:55 | Serial GET /wp-login.php?reauth=1 — session exists but reauth required |
| 18:05:57 | POST /wp-login.php — 200 (2606 bytes, failed reauth). Pre-existing session cookie still valid |
| 18:05:58 | GET /wp-admin/ — 200, admin panel accessed via existing session |
| 18:06:00–18:06:05 | Navigates /wp-admin/plugins.php → /wp-admin/plugin-install.php |
| 18:06:06 | GET /sh38218048780982?remove=me (UA: python-requests/2.32.4) — 404. Shell URL known before plugin upload — coordinated actor |
| 18:06:12 | POST /wp-admin/update.php?action=upload-plugin — hseo.zip uploaded (200, 44004 bytes) |
| 18:06:14 | GET /wp-admin/plugins.php?action=activate&plugin=hseo%2Fhseo.php — activated (302) |
| 18:06:16 | GET /sh38218048780982 — 200, 2534 bytes, UA: ShellBot 2.0 — first shell live |
| 19:01:11 | GET /sh368273599603930438 — 200, UA: ShellBot 2.0 — second shell live |
| 19:01:12–13 | POST /sh368273599603930438 x 3 — 200 — remote command execution confirmed |
Impact
- Blast radius: single WordPress site — other services, databases, and infrastructure unaffected;
- No user data at risk — this WordPress installation contains only landing page content; no customer accounts, personal data, payment information, or user-generated content is stored in the database;
- Two remote webshells were deployed and confirmed active with command execution.
Resolution
- Removed the
`hseo`plugin and associated files; - Removed the Flamingo plugin;
- Deleted both webshell files from the filesystem;
- Scanned full filesystem;
- Audited
`crontab`and WP scheduled tasks for persistence; - Added the CSP header in nginx;
- Updated the team’s Internal Security Policies;
- Access to the DataForSEO WordPress Admin Panel is now IP-restricted through the corporate VPN.