Jump to content
  • Plugins on WordPress.org backdoored in supply chain attack


    Karlston

    • 331 views
    • 3 minutes
     Share


    • 331 views
    • 3 minutes

    A threat actor modified the source code of at least five plugins hosted on WordPress.org to include malicious PHP scripts that create new accounts with administrative privileges on websites running them.

     

    The attack was discovered by the Wordfence Threat Intelligence team yesterday, but the malicious injections appear to have occurred towards the end of last week, between June 21 and June 22.

     

    As soon as Wordfence discovered the breach, the company notified the plugin developers, which resulted in patches being released yesterday for most of the products.

     

    Together, the five plugins have been installed on more than 35,000 websites:

     

    • Social Warfare 4.4.6.4 to 4.4.7.1 (fixed in version 4.4.7.3)
    • Blaze Widget 2.2.5 to 2.5.2 (fixed in version 2.5.4)
    • Wrapper Link Element 1.0.2 to 1.0.3 (fixed in version 1.0.5)
    • Contact Form 7 Multi-Step Addon 1.0.4 to 1.0.5 (fixed in version 1.0.7)
    • Simply Show Hooks 1.2.1 to 1.2.2 (no fix available yet)

     

    Wordfence notes that it does not know how the threat actor managed to gain access to the source code of the plugins but an investigation is looking into it.

     

    Although it is possible that the attack impacts a larger number of WordPress plugins, current evidence suggests that the compromise is limited to the aforementioned set of five.

    Backdoor operation and IoCs

    The malicious code in the infected plugins attempts to create new admin accounts and inject SEO spam into the compromised website.

     

    “At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server,” explains Wordfence.

     

    “In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website.”

     

    The data is transmitted to the IP address 94.156.79[.]8, while the arbitrarily created admin accounts are named “Options” and “PluginAuth,” the researchers say.

     

    Website owners that notice such accounts or traffic to the attacker's IP address should perform a complete malware scan and cleanup.

     

    “If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode.” – Wordfence.

    Wordfence notes that some of the impacted plugins were temporarily delisted from WordPress.org, which may result in users getting warnings even if they use a patched version.

     

    Source

     

    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every single day for many years.

    2023: Over 5,800 news posts | 2024 (till end of May): Nearly 2,400 news posts


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...