Unknown attackers modified the source code of at least five WordPress plugins available on WordPress.org, introducing malicious PHP scripts into it. The backdoor created new accounts with administrator rights on 36,000 sites where hacked plugins were installed.
As experts report Wordfencewho discovered this attack, the malicious injections appear to have taken place late last week, between June 21 and 22, 2024.
Advertisement
Once the researchers discovered the issue, they notified plugin developers about what had happened, so patches are now available for most of them:
- Social Warfare — more than 30,000 installations (the problem appeared in versions 4.4.6.4 to 4.4.7.1, fixed in version 4.4.7.3);
- BLAZE Retail Widget — 10 installations (the problem appeared in versions 2.2.5 to 2.5.2, fixed in version 2.5.4);
- Wrapper Link Elementor — 1000 installations (the problem appeared in versions 1.0.2 and 1.0.3, fixed in version 1.0.5);
- Contact Form 7 Multi-Step Addon — 700 installations (the problem appeared in versions 1.0.4 and 1.0.5, fixed in version 1.0.7);
- Simply Show Hooks — 4000 installations (the problem appeared in version 1.2.1, there is no patch yet).
Wordfence experts note that it is not yet clear how the attackers gained access to the source code of these plugins, and an investigation is currently ongoing.
As mentioned above, the malicious code tried to create new accounts with administrator rights on the affected sites, and then transferred their data to its operators. The data was sent to the IP address 94.156.79(.)8, and the new accounts were usually called Options and PluginAuth.
In addition, it is reported that the attackers injected SEO spam into the hacked resources.
Advertisement
“The attackers also appeared to inject malicious JavaScript code into the sites’ footers, and this appears to have added SEO spam to the entire site,” the researchers wrote.
Wordfence warns that all site owners with the listed plugins installed should consider their resources compromised and immediately “go into incident response mode.”
It is also noted that some plugins may be temporarily unavailable on WordPress.org, which may result in users receiving warnings even if they are already using fixed versions.