WordPress plugins continue to face threats from hackers who exploit stolen credentials from other data breaches to gain direct access to plugin code. These supply chain attacks are particularly concerning because they can disguise themselves as normal plugin updates, making them difficult for users to detect.
Supply Chain Attack
Typically, a software vulnerability allows an attacker to inject malicious code or launch another type of attack due to a flaw in the code. However, a supply chain attack occurs when the software itself or a component of the software, such as a third-party script, is directly altered with malicious code. This means the software is delivering the malicious files.
The United States Cybersecurity and Infrastructure Security Agency (CISA) defines a supply chain attack as:
"A software supply chain attack happens when a cyber threat actor infiltrates a software vendor’s network and uses malicious code to compromise the software before the vendor sends it to their customers. This compromised software then compromises the customer’s data or system.
New software might be compromised from the outset, or the compromise might occur through a patch or hotfix. In these scenarios, the compromise still happens before the patch or hotfix reaches the customer’s network. These kinds of attacks affect all users of the compromised software and can have widespread impacts on government, critical infrastructure, and private sector clients."
For the current attack on WordPress plugins, hackers use stolen credentials to access developer accounts and insert malicious code into the plugins. This enables them to create administrator-level user accounts on every website that employs the compromised WordPress plugins.
Today, Wordfence announced that additional WordPress plugins have been identified as compromised. More plugins may also be at risk, so it’s crucial to understand the situation and proactively protect sites under your control.
More WordPress Plugins Attacked
Wordfence issued an advisory indicating more plugins have been compromised, including a highly popular podcasting plugin called PowerPress Podcasting by Blubrry.
These newly compromised plugins announced by Wordfence are:
- WP Server Health Stats (wp-server-stats): 1.7.6
- Patched Version: 1.7.8
- 10,000 active installations
- Ad Invalid Click Protector (AICP) (ad-invalid-click-protector): 1.2.9
- Patched Version: 1.2.10
- 30,000+ active installations
- PowerPress Podcasting plugin by Blubrry (powerpress): 11.9.3 – 11.9.4
- Patched Version: 11.9.6
- 40,000+ active installations
- Latest Infection – Seo Optimized Images (seo-optimized-images): 2.1.2
- Patched Version: 2.1.4
- 10,000+ active installations
- Latest Infection – Pods – Custom Content Types and Fields (pods): 3.2.2
- Patched Version: No patched version needed currently.
- 100,000+ active installations
- Latest Infection – Twenty20 Image Before-After (twenty20): 1.6.2, 1.6.3, 1.5.4
- Patched Version: No patched version needed currently.
- 20,000+ active installations
First Group of Compromised Plugins
- Social Warfare
- Blaze Widget
- Wrapper Link Element
- Contact Form 7 Multi-Step Addon
- Simply Show Hooks
What To Do If Using A Compromised Plugin
Some of the plugins have been updated to address the issue, but not all of them. Regardless, site owners should check their databases to ensure no rogue admin accounts have been added to their WordPress websites.
The attack creates administrator accounts with the usernames “Options” or “PluginAuth,” so these are the usernames to watch for. However, it’s wise to look for any unrecognized admin-level user accounts in case the attack has evolved and hackers are using different usernames.
Site owners using the Wordfence free or Pro version of the Wordfence WordPress security plugin will be notified of compromised plugins. Pro level users receive immediate malware signatures to detect infected plugins.
The official Wordfence warning announcement advises:
"If you have any of these plugins installed, consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts, deleting any unauthorized ones, and running a complete malware scan with the Wordfence plugin or Wordfence CLI to remove any malicious code.
Wordfence Premium, Care, and Response users, as well as paid Wordfence CLI users, have malware signatures to detect this malware. Wordfence free users will receive the same detection after a 30-day delay on July 25th, 2024. If you are running a malicious version of one of the plugins, the Wordfence Vulnerability Scanner will notify you of a vulnerability on your site and you should update the plugin where available or remove it as soon as possible."
Read more:
- WordPress Plugins Compromised At The Source – Supply Chain Attack
- 3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords
Feature Image by Shutterstock/Moksha Labs
