A new supply chain attack has impacted several plugins hosted on WordPress.org. This WordPress vulnerability, discovered on June 24th, 2024, by the Wordfence Threat Intelligence team, initially centered around the Social Warfare plugin. The plugin was found to have been compromised with malicious code inserted as early as June 22nd, 2024, according to a forum post by the WordPress.org Plugin Review team.
Upon identifying the malicious file within Social Warfare, the Wordfence team promptly uploaded it to their internal Threat Intelligence platform for analysis. Subsequently, their investigation revealed that the same malicious code had infected four additional plugins.
Despite efforts to notify the WordPress plugins team about these compromised plugins, the response has been limited, although the affected plugins have since been delisted from the official repository.
WordPress Plugin Vulnerability Leads to Supply Chain Attack
According to Wordfence researchers, the listed plugins leading to supply chain attacks include 5 popular names. Among them, Social Warfare versions 4.4.6.4 to 4.4.7.1 were compromised, but a patched version (4.4.7.3) has since been released. Blaze Widget versions 2.2.5 to 2.5.2 and Wrapper Link Element versions 1.0.2 to 1.0.3 were also affected, with no available patched versions.
Interestingly, although the malicious code appears removed in Wrapper Link Element version 1.0.0, this version is lower than the infected ones, complicating the update process. Users are advised to uninstall the plugin until a properly tagged version is issued. Similarly impacted were Contact Form 7 Multi-Step Addon versions 1.0.4 to 1.0.5 and Simply Show Hooks version 1.2.1, with no patched versions currently released for either plugin.
The injected malware’s primary function involves attempting to create unauthorized administrative user accounts on affected websites. These accounts are then leveraged to exfiltrate sensitive data back to servers controlled by the attackers. Additionally, the attackers embedded malicious JavaScript into the footers of compromised websites, potentially impacting SEO by introducing spammy content.
Ongoing Investigation and Recovery
Despite the malicious code’s discovery, it was noted for its relative simplicity and lack of heavy obfuscation, featuring comments throughout that made it easier to trace. The attackers appear to have begun their activities as early as June 21st, 2024, and were actively updating plugins as recently as a few hours before detection.
The Wordfence team is currently conducting a thorough analysis to develop malware signatures aimed at detecting compromised versions of these plugins. They advise website administrators to utilize the Wordfence Vulnerability Scanner to check for vulnerable plugins and take immediate action—either by updating to patched versions or removing affected plugins altogether.
Key indicators of compromise include the IP address 94.156.79.8, used by the attackers’ server, and specific unauthorized administrative usernames such as ‘Options’ and ‘PluginAuth’. To mitigate risks, administrators are urged to conduct comprehensive security audits, including checking for unauthorized accounts and conducting thorough malware scans.