WordPress Plugins Compromised; Rogue Admin Accounts

Identified by the WordFence Threat Intelligence Team, multiple WordPress plugins have been backdoored by the injection of malicious code that makes the creation of rogue admin accounts possible with the aim of performing arbitrary actions. The initial discovery of this occurred on June 22, 2024.

WordFence Security Researcher Chloe Charmberland had this to say in an alert last Monday: “The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server. In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website.”

The administrative accounts have usernames such as “Options” and “PluginAuth”. With this account information being exfiltrated to the IP address of 94.156.79″.”8. Currently, it is unknown how the attackers behind this cyber-campaign managed to compromise the plugins; however, the earliest signs of the software supply chain attack date back to June 21st of this year.

The plugins currently compromised include:

Social Warfare to (30,000+ installs)

Blaze Widget 2.2.5 -2.5.2 (10+ Installs)

Wrapper Link Element 1.0.2 – 1.0.3 (1,000+ Installs)

Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (700+ Installs)

Simply Show Hooks 1.2.1 (4,000+ Installs)

With possibly more, these plugins are no longer available for installation and are currently undergoing an ongoing review from WordPress.

Organizations and users of the aforementioned plugins have been advised to inspect their sites for unauthorized administrative accounts, delete them, and remove any malicious code attached. Which appears to have mostly been JavaScript injection into the footers of websites, adding SEO spam, and is not heavily obfuscated, making the removal of it a fairly simple task.