Multiple Plugins Backdoored in WordPress Supply Chain Attack

2 Mins Read

PUREVPNNewsMultiple Plugins Backdoored in WordPress Supply Chain Attack

A hacker recently changed the source code of at least five WordPress.org plugins to add harmful PHP scripts, which create new administrator accounts on the websites that are running these plugins.

The Wordfence Threat Intelligence team discovered the attack two days ago, though it seems the harmful code was added to the plugins sometime late last week, around June 21 and June 22.

Once Wordfence detected the breach, it alerted the plugins developers immediately, which led to the prompt release of security patches for most of them. 

Affected WordPress Plugins

The compromised plugins have been collectively installed on over 35,000 websites. Here is a breakdown of the affected plugins and their updates:

  • Social Warfare: Versions 4.4.6.4 to 4.4.7.1, patched in version 4.4.7.3.
  • Blaze Widget: Versions 2.2.5 to 2.5.2, patched in version 2.5.4.
  • Wrapper Link Element: Versions 1.0.2 to 1.0.3, patched in version 1.0.5.
  • Contact Form 7 Multi-Step Addon: Versions 1.0.4 to 1.0.5, patched in version 1.0.7.
  • Simply Show Hooks: Versions 1.2.1 to 1.2.2, currently without a fix.

Wordfence has not been able to determine how the hacker got access to the plugin source code, but investigations are underway. While more WordPress plugins could be impacted, evidence so far suggests that only the five mentioned plugins are affected. 

“At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server,” Wordfence explained. 

This sneaky code also incorporates malicious JavaScript in the website’s footer, dispersing SEO spam throughout the site. According to researchers, the data is sent to the IP address 94.156.79[.]8, and the newly created admin accounts are called “Options” and “PluginAuth.”

Immediate Actions for Website Owners

If you are running any of these plugins, treat your site as potentially compromised. Immediate actions include conducting a thorough malware scan and cleanup. Stay on the lookout for any accounts named “Options” or “PluginAuth” as these are telltale signs of the attack.

Wordfence also highlighted that some plugins were temporarily removed from WordPress.org following the discovery, which might lead to warnings for users even if they have updated to a secure version.

author

Anas Hasan

date

June 26, 2024

time

4 days ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Related Stories

Snowblind Malware: A New Threat to Android Banking Apps

Snowblind Malware: A New Threat to Android Banking Apps
Posted on June 27, 2024
New Update Fixes AirPods Eavesdropping Flaw: What You Need to Know

New Update Fixes AirPods Eavesdropping Flaw: What You Need to Know
Posted on June 27, 2024
Medusa Banking Trojan Resurfaces, Targets Android Users in Multiple Countries

Medusa Banking Trojan Resurfaces, Targets Android Users in Multiple Countries
Posted on June 26, 2024

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.

Get PureVPN