Breaking News: Widespread WordPress Plugin Compromise in Active Supply Chain Attack

WordPress Supply Chain Attack

WordPress, the world’s most popular content management system, is facing a significant security threat in the form of a widespread supply chain attack. Five popular plugins available on the official WordPress.org repository have been compromised, potentially jeopardizing thousands of websites.

The discovery was made by the Wordfence Threat Intelligence team, who initially identified malicious code injected into the Social Warfare plugin. Further investigation revealed the same code in four additional plugins, indicating a coordinated and ongoing attack.

The compromised plugins are:

  • Social Warfare (Versions 4.4.6.4 – 4.4.7.1): Quickly patched with the release of version 4.4.7.3.
  • Blaze Widget (Versions 2.2.5 – 2.5.2): Currently, no patched version is available, leaving it vulnerable.
  • Wrapper Link Element (Versions 1.0.2 – 1.0.3): While the malicious code was removed, an issue with version tagging makes updating problematic.
  • Contact Form 7 Multi-Step Addon (Versions 1.0.4 – 1.0.5): No patched version released yet.
  • Simply Show Hooks (Version 1.2.1): Remains unpatched.

The malicious code operates by creating unauthorized administrative user accounts, often with generic usernames like “Options” or “PluginAuth.” These rogue accounts grant attackers backdoor access to compromised websites, allowing them to manipulate content, steal sensitive data, or cause further damage. The code also injects malicious JavaScript into website footers, likely for nefarious SEO spam activities.

The severity of this attack is heightened by the fact that the threat actor remains active, continuously updating the malicious code within the plugins. This implies an ongoing campaign, making it crucial for website owners to take immediate action.

Indicators of Compromise

The following details are crucial for WordPress site administrators:

  • Malicious Server IP: 94.156.79.8
  • Compromised Admin Usernames: “Options” and “PluginAuth”

Wordfence urges all WordPress users to check their installations for the affected plugins. If any are found, users should assume their websites are compromised and take the following steps:

  1. Review and delete unauthorized administrative accounts. Look for accounts with generic usernames or those created around the time of the suspected compromise.
  2. Perform a thorough malware scan. Utilize Wordfence or another reputable security tool to identify and remove any malicious code on your website.
  3. Update or remove affected plugins. If available, update the plugins to their latest patched versions. For plugins without patches, remove them entirely until a secure version is released.

Wordfence is working diligently to create malware signatures for the compromised plugins and will notify users through the Wordfence Vulnerability Scanner. The company also recommends additional protective measures, such as regularly updating all plugins and themes, using strong passwords and two-factor authentication, and employing web application firewalls.