The Wordfence Threat Intelligence team has uncovered a security breach in several WordPress plugins, with at least five hosted on WordPress.org containing malicious PHP scripts that create new administrative accounts on affected websites.
The breach was identified on June 24, 2024, but the malicious modifications occurred between June 21 and June 22. Upon discovery, Wordfence promptly alerted the plugin developers, leading to the release of patches for most of the affected plugins.
Affected Plugins and Versions
The compromised plugins have been installed on over 35,000 websites. Here are the details:
- Social Warfare 4.4.6.4 to 4.4.7.1
- Fixed Version: 4.4.7.3
- Blaze Widget 2.2.5 to 2.5.2
- Fixed Version: 2.5.4
- Wrapper Link Element 1.0.2 to 1.0.3
- Fixed Version: 1.0.5
- Contact Form 7 Multi-Step Addon 1.0.4 to 1.0.5
- Fixed Version: 1.0.7
- Simply Show Hooks 1.2.1 to 1.2.2
- No fix available yet
Wordfence has not yet determined how the threat actor gained access to the source code of these plugins. Investigations are ongoing to uncover the breach’s full extent and origins.
Malicious Activity and Indicators of Compromise
The injected malware performs several malicious actions. It creates new administrative user accounts with usernames “Options” and “PluginAuth,” sending the details of these accounts to an attacker-controlled server at IP address 94.156.79.8. Additionally, the malware injects malicious JavaScript into the footer of compromised websites, leading to the spread of SEO spam throughout the site.
Some of the impacted plugins have been temporarily delisted from WordPress.org, users might receive warnings even when using patched versions.
