Tech plugins hijacked in supply chain attack

A malicious actor has modified the source code of at least five plugins hosted on to include malicious PHP scripts that create new accounts with administrative privileges on the websites running them.

The attack was discovered yesterday by the Wordfence Threat Intelligence team, but the malicious injections appear to have taken place towards the end of last week, between June 21 and 22.

As soon as Wordfence discovered the flaw, the company notified the plugin’s developers, which resulted in fixes being released for most products yesterday.

Together, the five plugins have been installed on over 35,000 websites:

  • Social Warfare to (fixed in version
  • Blaze Widget 2.2.5 to 2.5.2 (fixed in version 2.5.4)
  • Wrapper Link Element 1.0.2 to 1.0.3 (fixed in version 1.0.5)
  • Contact Form 7 Multi-Step Addon 1.0.4 to 1.0.5 (fixed in version 1.0.7)
  • Simply Show Hooks 1.2.1 to 1.2.2 (no fixes available at this time)

Wordfence says it doesn’t know how the threat actor managed to gain access to the plugins’ source code, but an investigation is underway.

While it is possible that the attack affects a larger number of WordPress plugins, current evidence suggests that the compromise is limited to all of the five plugins mentioned above.

How the backdoor works and IoC

The malicious code contained in infected plugins attempts to create new administrator accounts and inject SEO spam into the compromised website.

“At this point, we know that the injected malware attempts to create a new administrative user account and then sends this information back to the server controlled by the attacker,” Wordfence explains.

“Additionally, it appears that the threat actor also injected malicious JavaScript into the websites footer, which appears to add SEO spam across the entire website.”

The data is transmitted to the IP address 94.156.79(.)8, while arbitrarily created administrator accounts are named “Options” and “PluginAuth”, the researchers say.

Website owners who notice such accounts or traffic to the attacker’s IP address should perform a full malware scan and cleanup.

“If any of these plugins are installed, you should consider your installation compromised and immediately enter incident response mode.” – Closure of words.

Wordfence notes that some of the affected plugins have been temporarily removed from, which may result in warnings for users even if they are using a patched version.

News Source :
Gn tech

Back to top button