Malicious code injected over the past week in five WordPress plugins creates a new administrative account, WordPress security firm Defiant reports.
The code was discovered on Monday, after the WordPress.org Plugin Review Team learned that a threat actor had taken over the Social Warfare plugin and added the malicious code in recent versions.
Starting June 22, several versions of the plugin were released with the injected code inside. Social Warfare versions 4.4.6.4 to 4.4.7.1 contain the malicious code and users are advised to update to version 4.4.7.3 as soon as possible.
“If you have used versions 4.4.6.4 to 4.4.7.1 of the Social Warfare plugin, we strongly recommend you do an in-depth review of your site’s activity and user account details,” the WordPress team notes.
While investigating the incident, Defiant discovered that four other plugins – namely Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks – also contain the malicious code.
“At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server. In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website,” Defiant explains.
The first infections were observed on June 21 and the threat actor continued to update the compromised plugins as of Monday.
Users of Blaze Widget versions 2.2.5 to 2.5.2, Wrapper Link Element versions 1.0.2 and 1.0.3, Contact Form 7 Multi-Step Addon versions 1.0.4 and 1.0.5, and Simply Show Hooks 1.2.1 are advised to remove the plugins and look for rogue administrative accounts on their websites.
All five plugins have been closed by the WordPress team and are no longer available for download. While newer versions are available for four of them, it is unclear whether the latest iterations have been purged of the malicious code – except for Social Warfare version 4.4.7.3.
The infected plugins are open source and have a combined active installation base of over 30,000 sites. According to Defiant, the plugins were likely compromised as part of a supply chain attack.
Related: Critical WordPress Plugin Flaws Exploited to Inject Malicious Scripts and Backdoors
Related: Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors
Related: Attacks Targeting Recent WordPress File Manager Flaw Ramping Up
