Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Several Plugins Compromised in WordPress Supply Chain Attack 

Five WordPress plugins were injected with malicious code that creates a new administrative account.

Malicious code injected over the past week in five WordPress plugins creates a new administrative account, WordPress security firm Defiant reports.

The code was discovered on Monday, after the WordPress.org Plugin Review Team learned that a threat actor had taken over the Social Warfare plugin and added the malicious code in recent versions.

Starting June 22, several versions of the plugin were released with the injected code inside. Social Warfare versions 4.4.6.4 to 4.4.7.1 contain the malicious code and users are advised to update to version 4.4.7.3 as soon as possible.

“If you have used versions 4.4.6.4 to 4.4.7.1 of the Social Warfare plugin, we strongly recommend you do an in-depth review of your site’s activity and user account details,” the WordPress team notes.

While investigating the incident, Defiant discovered that four other plugins – namely Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks – also contain the malicious code.

“At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server. In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website,” Defiant explains.

The first infections were observed on June 21 and the threat actor continued to update the compromised plugins as of Monday.

Users of Blaze Widget versions 2.2.5 to 2.5.2, Wrapper Link Element versions 1.0.2 and 1.0.3, Contact Form 7 Multi-Step Addon versions 1.0.4 and 1.0.5, and Simply Show Hooks 1.2.1 are advised to remove the plugins and look for rogue administrative accounts on their websites.

Advertisement. Scroll to continue reading.

All five plugins have been closed by the WordPress team and are no longer available for download. While newer versions are available for four of them, it is unclear whether the latest iterations have been purged of the malicious code – except for Social Warfare version 4.4.7.3.

The infected plugins are open source and have a combined active installation base of over 30,000 sites. According to Defiant, the plugins were likely compromised as part of a supply chain attack.

Related: Critical WordPress Plugin Flaws Exploited to Inject Malicious Scripts and Backdoors

Related: Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors

Related: Attacks Targeting Recent WordPress File Manager Flaw Ramping Up

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights