WordPress

WordPress Plugins Compromised at the Source – Supply Chain Attack

Photo of SEO SEO Send an email September 29, 2024
0 10 3 minutes read

WordPress.org and Wordfence have issued warnings regarding hackers inserting malicious code directly into plugins at the source, leading to widespread infections through updates. This type of attack is known as a Supply Chain Attack.

Update 06-28-2024: More Plugins Are Infected

More plugins have been identified as compromised:

  1. WP Server Health Stats (wp-server-stats): 1.7.6
  2. Ad Invalid Click Protector (AICP) (ad-invalid-click-protector): 1.2.9
  3. PowerPress Podcasting plugin by Blubrry (powerpress): 11.9.3 – 11.9.4
  4. SEO Optimized Images (seo-optimized-images): 2.1.2
  5. Pods – Custom Content Types and Fields (pods): 3.2.2
  6. Twenty20 Image Before-After (twenty20): 1.6.2, 1.6.3, 1.5.4

Read more: WordPress Plugin Supply Chain Attacks Escalate

Compromised Plugins: What’s Going On

Typically, a plugin contains a vulnerability that allows an attacker to compromise individual sites using that version. However, these recent compromises are different as the plugins themselves are not vulnerable. Instead, attackers are injecting malicious code directly into the plugin’s source, forcing updates that then spread to all sites using the plugin.

Wordfence initially noticed one plugin with malicious code. Upon updating their database, they discovered four other plugins with similar malicious code. They immediately notified WordPress of their findings.

Wordfence shared details of the affected plugins:

“Social Warfare 4.4.6.4 – 4.4.7.1
Patched Version: 4.4.7.3
Blaze Widget 2.2.5 – 2.5.2
Patched Version: None
Wrapper Link Element 1.0.2 – 1.0.3
Patched Version: Latest version tagged as 1.0.0, lower than infected versions; recommend removing until a properly tagged version is released.
Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5
Patched Version: None
Simply Show Hooks 1.2.1
Patched Version: None”

WordPress has shut down all five compromised plugins at the official plugin repository and published notifications on each plugin page.

Screenshot Of A Delisted WordPress Plugin

The infected plugins create rogue admin accounts that communicate with a server. The affected websites are then altered with SEO spam links in the footer. Although sophisticated malware can be hard to detect due to obfuscation, this specific malware was noted to be easy to identify and track by Wordfence.

Wordfence noted:

“The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout, making it easy to follow. The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago.”

WordPress Issues Advisory On Compromised Plugins

The advisory explains that attackers are targeting plugin developers with "committer access" and using credentials from other data breaches to directly access and inject malicious code.

WordPress explained:

“On June 23 and 24, 2024, five WordPress.org user accounts were compromised by an attacker using username and password combinations previously breached on other websites. The attacker used access to these accounts to issue malicious updates to five plugins those users had committer access to.

…The affected plugins have had security updates issued by the Plugins Team to protect user security.”

The vulnerabilities appear to stem from poor security practices by plugin developers. WordPress has reminded developers of best practices to prevent such compromises.

How To Know If Your Site Is Compromised?

Currently, there are only five known plugins compromised with this specific code. Wordfence mentioned that hackers create admins with the usernames “Options” or “PluginAuth.” It is advised to check for any new admin accounts with these usernames. Affected sites should delete rogue admin accounts, run a malware scan with the Wordfence plugin, and remove the malicious code.

Someone in the comments asked:

“Do you think we need to be worried about other plugin updates, or was this limited to these five plugins?”

Chloe Chamberland, Threat Intelligence Lead at Wordfence, responded:

“Hi Elizabeth, at this point, it appears to be isolated to just those five plugins, so I wouldn’t worry too much about other plugin updates. However, as a precaution, I recommend reviewing the change sets of any plugin updates before updating them on any sites you run to ensure no malicious code is present.”

Other commenters noted that they had rogue admin accounts on sites not using any of the five affected plugins. It is currently unknown if other plugins are affected.

Read more: WordPress Plugin Supply Chain Attacks Escalate
Read Wordfence’s advisory and explanation: Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins
Read the official WordPress.org announcement: Keeping Your Plugin Committer Accounts Secure

Featured Image by Shutterstock/Algonga

Photo of SEO SEO Send an email September 29, 2024
0 10 3 minutes read
Photo of SEO

SEO

Related Articles

Matt Mullenweg Accuses WP Engine of Trying to Curtail His Free Speech Amid Dispute

October 21, 2024

WordPress Announces New Executive Director

October 9, 2024

Executive Director of WordPress Steps Down

October 5, 2024

8% of Automattic’s Employees Choose to Resign

October 5, 2024
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button