A recent security breach on the WordPress.org site has left users vulnerable to a potentially harmful attack. Multiple plugins have been compromised by threat actors, with the aim of granting them administrative privileges and facilitating further malicious activities. The WordPress.org Plug-in Review team issued a warning to users about the infected plugin called Social Warfare, which was found to be injected with malicious code. Further investigation revealed that several other plugins on WordPress.org were also affected by the same malicious code injection.
The affected plugins, in addition to Social Warfare, include Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks. While Social Warfare has the highest number of installations exceeding 30,000, the other plugins have a considerably lower user base. Nonetheless, the presence of identical malicious code across all the plugins hints at a potentially larger supply chain attack, as noted by Wordfence.
Social Warfare has since been patched in version 4.4.7.3, and all affected plugins have been temporarily delisted and are unavailable for download. Despite this, the other plugins have yet to receive patched versions. Wrapper Link Element has seen the removal of the malicious code in a version labeled 1.0.0, which complicates the updating process for users.
The injected malicious code within the plugins is designed to create a new administrative user account and transmit the details to a server controlled by the attackers. Additionally, the campaign leverages the plugins to insert malicious JavaScript into website footers and distribute SEO spam throughout the site. Although the malicious code is not overly complex, it poses a significant threat to website security.
The attack is suspected to have originated on June 21, with ongoing updates to the affected plugins observed until shortly before WordFence published their findings on June 24. The exact entry point of the infection remains unclear, prompting ongoing analysis to uncover the source of the breach.
As WordPress and its plugins are popular targets for cyberattacks due to their widespread adoption, users are urged to exercise caution and vigilance. Wordfence is actively developing malware signatures to detect compromised plugins and advises users to remove any affected plugins immediately. Website administrators are recommended to check for unauthorized administrative accounts, conduct malware scans, and follow incident response protocols to mitigate the threat.
To assist in identifying evidence of the attack, Wordfence has provided indicators of compromise (IoCs) and a guide to aid administrators in cleaning malicious code from WordPress-based websites. By remaining vigilant and taking proactive security measures, users can protect their websites from potential threats and safeguard sensitive data from exploitation.