Multiple WordPress plugins have been compromised to inject malicious code, enabling the creation of rogue administrator accounts that can perform arbitrary actions.
According to the report, the injected malware creates a new administrative user account and sends those details back to an attacker-controlled server. Additionally, malicious JavaScript is injected into the website’s footer to add SEO spam throughout the site.
The rogue admin accounts use the usernames “Options” and “PluginAuth,” with the account information sent to the IP address 94.156.79[.]8.
The method used by the attackers to compromise the plugins remains unknown. However, the earliest signs of this software supply chain attack date back to June 21, 2024.
The affected plugins are no longer available for download from the WordPress plugin directory as they are under review:
– Social Warfare 4.4.6.4 – 4.4.7.1 (Patched version: 4.4.7.3) – 30,000+ installs
– Blaze Widget 2.2.5 – 2.5.2 (Patched version: N/A) – 10+ installs
– Wrapper Link Element 1.0.2 – 1.0.3 (Patched version: N/A) – 1,000+ installs
– Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (Patched version: N/A) – 700+ installs
– Simply Show Hooks 1.2.1 (Patched version: N/A) – 4,000+ installs
To safeguard your WordPress site from threats like the compromised plugins, ensure all plugins and themes are from reputable sources and kept up to date. Regularly monitor your site for unusual activity, such as unexpected admin accounts.
Implement strong security measures, including two-factor authentication for admin logins and regular backups of your website data. Use a trusted security plugin to scan for and remove malicious code.