Recently, multiple WordPress plugins have been discovered to contain backdoors, indicating a severe software supply chain attack. This malicious activity is designed to compromise websites by creating rogue administrator accounts and injecting harmful JavaScript. The malware generates admin accounts with usernames “Options” and “PluginAuth,” sending their details to the IP address 94.156.79[.]8. Signs of this attack trace back to June 21, 2024, though the exact method of plugin compromise remains unknown. The affected plugins, now removed from the WordPress directory for review, include Social Warfare (versions 4.4.6.4 to 4.4.7.1), Blaze Widget (versions 2.2.5 to 2.5.2), Wrapper Link Element (versions 1.0.2 to 1.0.3), Contact Form 7 Multi-Step Addon (versions 1.0.4 to 1.0.5), and Simply Show Hooks (version 1.2.1). Users are urged to inspect their sites for any suspicious admin accounts and delete them, as well as to remove any malicious code found in their site’s footer. Immediate action is recommended: update affected plugins to their latest patched versions if available, or remove them if patches are not yet released. Additionally, users should scan their sites for malware, change all administrator passwords, and continuously monitor site activity to ensure ongoing security. This incident highlights the critical need for rigorous security practices, including regular updates, monitoring, and thorough site audits to safeguard against such sophisticated attacks.

Overview of the Attack

Wordfence researcher Chloe Chamberland has issued a security alert revealing that injected malware in several WordPress plugins attempts to create new administrative user accounts and exfiltrates these details to an attacker-controlled server. Moreover, the attackers have embedded malicious JavaScript into the footers of compromised websites, resulting in the spread of SEO spam across the sites. This discovery points to a significant software supply chain attack aimed at compromising website security. The attack’s earliest signs date back to June 21, 2024, though the method of plugin compromise remains unidentified. Affected plugins include Social Warfare (versions 4.4.6.4 to 4.4.7.1), Blaze Widget (versions 2.2.5 to 2.5.2), Wrapper Link Element (versions 1.0.2 to 1.0.3), Contact Form 7 Multi-Step Addon (versions 1.0.4 to 1.0.5), and Simply Show Hooks (version 1.2.1). Users are advised to check for suspicious admin accounts and delete them, remove any malicious footer code, update or remove affected plugins, scan for further malware, change admin passwords, and monitor site activity closely. This incident underscores the importance of stringent security measures, including regular updates, comprehensive monitoring, and frequent site audits to protect against such sophisticated threats.

Key Findings:

The injected malware within compromised WordPress plugins has been observed creating unauthorized administrator accounts using specific usernames, namely “Options” and “PluginAuth.” These accounts are established with the intent to grant unauthorized access to affected websites. The account details, once created, are then transmitted to an IP address identified as 94.156.79[.]8, which is under the control of the attackers. This exfiltration of sensitive information poses a significant risk to the security and integrity of the compromised sites.

The earliest indicators of this malicious activity date back to June 21, 2024, suggesting that the attack has been ongoing for a period of time. Despite efforts to investigate, the exact method employed by the attackers to compromise these plugins remains undisclosed and continues to be a subject of ongoing investigation. This uncertainty regarding the attack vector highlights the complexity and sophistication of the infiltration, requiring detailed forensic analysis and remediation efforts to fully understand and mitigate the vulnerabilities exploited.

Given these developments, users of the affected plugins are strongly advised to conduct thorough inspections of their websites for any signs of unauthorized administrator accounts, particularly those using the usernames mentioned. Immediate removal of such accounts is crucial to prevent further unauthorized access and potential damage. Furthermore, diligent monitoring for unusual network activity and the implementation of stringent security measures are recommended to safeguard against similar supply chain attacks in the future.

Affected Plugins

The following plugins have been identified as compromised and are no longer available for download from the WordPress plugin directory pending an ongoing review:

1. Social Warfare

• Versions Affected:4.6.4 – 4.4.7.1
• Patched Version:4.7.3
• Installs: 30,000+

2. Blaze Widget

• Versions Affected:2.5 – 2.5.2
• Patched Version: N/A
• Installs: 10+

3. Wrapper Link Element

• Versions Affected:0.2 – 1.0.3
• Patched Version: N/A
• Installs: 1,000+

4. Contact Form 7 Multi-Step Addon

• Versions Affected:0.4 – 1.0.5
• Patched Version: N/A
• Installs: 700+

5. Simply Show Hooks

• Versions Affected:2.1
• Patched Version: N/A
• Installs: 4,000+

Remediation Steps:

1. Delete Suspicious Admin Accounts: Remove any administrator accounts with the usernames “Options” and “PluginAuth.”
2. Remove Malicious JavaScript: Inspect and clean your site’s footer of any injected malicious JavaScript code.
3. Update Affected Plugins: Update to the latest patched version of any affected plugins if available.
4. Deactivate or Remove Compromised Plugins: Temporarily deactivate or remove affected plugins without available patches.
5. Scan for Malware: Use security plugins to scan your website for additional malware or vulnerabilities.
6. Change Administrator Passwords: Update passwords for all administrator accounts to secure your site against further unauthorized access.
7. Monitor Site Activity: Continuously monitor your site for unusual activity and perform regular security audits.