Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins

On Monday June 24th, 2024 the Wordfence Threat Intelligence team became aware of a plugin, Social Warfare, that was injected with malicious code on June 22, 2024 based on a forum post by the WordPress.org Plugin Review team. We immediately checked the malicious file and uploaded it to our internal Threat Intelligence platform, which identified four additional plugins that were infected with similar code. We then reached out to the WordPress plugins team to alert them about the four additional plugins but have not yet received a response, though it appears the plugins have been delisted.

As of this moment, we know that the following plugins are infected:

• Social Warfare 4.4.6.4 - 4.4.7.1
  • Patched Version: 4.4.7.3
• Blaze Widget 2.2.5 - 2.5.2
  • Patched Version: None
• Wrapper Link Element 1.0.2 - 1.0.3
  • Patched Version: It appears that someone removed the malicious code, however, the latest version is tagged as 1.0.0 which is lower than the infected versions. This means it may be difficult to update to the latest version, so we recommend removing the plugin until a properly tagged version is released.
• Contact Form 7 Multi-Step Addon 1.0.4 - 1.0.5
  • Patched Version: None
• Simply Show Hooks 1.2.1
  • Patched Version None

At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server. In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website. The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow. The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago. At this point we do not know exactly how the threat actor was able to infect these plugins.

Currently, the Wordfence Threat Intelligence team is performing a deeper analysis and will provide more information as it becomes available. We are actively working on a set of malware signatures to provide detection for these compromised plugins, however, if you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it ASAP.

Indicators of Compromise

• The following IP Address is the server IP Address where the malicious attacker is sending the data
  • 94.156.79.8
• The following are the current known usernames of the administrative user accounts that are being generated
  • Options
  • PluginAuth

If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code.

You can view our full guide to cleaning your WordPress site here, or you can sign up for Wordfence Care or Wordfence Response where we offer complete incident response services for an entire year 24/7/365.

The post Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins appeared first on Wordfence.