A recent supply chain attack has targeted multiple plugins hosted on WordPress.org, causing concern among website administrators and cybersecurity experts. Discovered on June 24th, 2024, by the Wordfence Threat Intelligence team, this vulnerability initially focused on the Social Warfare plugin. It was revealed that malicious code had been inserted into the plugin as early as June 22nd, 2024, as reported by the WordPress.org Plugin Review team.
After identifying the malicious file within Social Warfare, the Wordfence team swiftly uploaded it to their internal Threat Intelligence platform for further analysis. This analysis uncovered that the same malicious code had spread to four additional plugins. Despite efforts to notify the WordPress plugins team about these compromised plugins, the response has been limited. However, the affected plugins have been delisted from the official repository to prevent further damage.
The impact of this WordPress plugin vulnerability has led to a supply chain attack affecting five popular plugins. Apart from Social Warfare, versions 4.4.6.4 to 4.4.7.1 were compromised, but a patched version (4.4.7.3) has been released to address the issue. Blaze Widget versions 2.2.5 to 2.5.2 and Wrapper Link Element versions 1.0.2 to 1.0.3 were also affected, with no patched versions currently available. Users are advised to uninstall Wrapper Link Element until a properly tagged version is issued to avoid complications.
Furthermore, Contact Form 7 Multi-Step Addon versions 1.0.4 to 1.0.5 and Simply Show Hooks version 1.2.1 have also been impacted, with no patched versions currently released for either plugin. The injected malware aims to create unauthorized administrative user accounts on compromised websites for data exfiltration to servers controlled by the attackers. Additionally, malicious JavaScript has been embedded in the footers of compromised websites, posing a threat to SEO by introducing spammy content.
The ongoing investigation into this supply chain attack has revealed the attackers’ activities as early as June 21st, 2024, with continuous plugin updates until detection. Despite the relative simplicity of the malicious code, the attackers’ use of comments throughout made it easier to trace. The Wordfence team is actively developing malware signatures to detect compromised versions of these plugins and recommends using the Wordfence Vulnerability Scanner for vulnerability checks and immediate action.
Website administrators are advised to look out for key indicators of compromise, such as the IP address 94.156.79.8 used by the attackers’ server and unauthorized administrative usernames like ‘Options’ and ‘PluginAuth’. To mitigate risks, thorough security audits and malware scans are crucial to ensuring the safety and integrity of WordPress websites. Stay informed and vigilant against potential threats to protect your online presence and data security.