A hacker recently changed the source code of at least five WordPress.org plugins to add harmful PHP scripts, which create new administrator accounts on the websites that are running these plugins.
The Wordfence Threat Intelligence team discovered the attack two days ago, though it seems the harmful code was added to the plugins sometime late last week, around June 21 and June 22.
Once Wordfence detected the breach, it alerted the plugins developers immediately, which led to the prompt release of security patches for most of them.
The compromised plugins have been collectively installed on over 35,000 websites. Here is a breakdown of the affected plugins and their updates:
Wordfence has not been able to determine how the hacker got access to the plugin source code, but investigations are underway. While more WordPress plugins could be impacted, evidence so far suggests that only the five mentioned plugins are affected.
“At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server,” Wordfence explained.
This sneaky code also incorporates malicious JavaScript in the website’s footer, dispersing SEO spam throughout the site. According to researchers, the data is sent to the IP address 94.156.79[.]8, and the newly created admin accounts are called “Options” and “PluginAuth.”
If you are running any of these plugins, treat your site as potentially compromised. Immediate actions include conducting a thorough malware scan and cleanup. Stay on the lookout for any accounts named “Options” or “PluginAuth” as these are telltale signs of the attack.
Wordfence also highlighted that some plugins were temporarily removed from WordPress.org following the discovery, which might lead to warnings for users even if they have updated to a secure version.