Analysis Summary

Several WordPress plugins have been compromised to introduce malicious code through backdoors, enabling the creation of rogue administrator accounts that may be used to carry out arbitrary tasks.

On June 24, 2024, the Wordfence Threat Intelligence team identified malicious code injections in the Social Warfare plugin following a forum post from the WordPress.org Plugin Review team. The infections began on June 22 and further analysis revealed four additional compromised plugins: Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon and Simply Show Hooks.

These plugins, ranging from versions 2.2.5 to 2.5.2 for Blaze Widget and other specified versions for the remaining plugins were promptly delisted by the WordPress plugins team. Despite this, no patches are available for most of the plugins except Social Warfare which has been patched in version 4.4.7.3.

The report said injected malware aims to create unauthorized administrative user accounts and sends this information to an attacker-controlled server. Additionally, the malware injects SEO spam through malicious JavaScript in the website's footer. The attack, which started around June 21, 2024, is relatively unsophisticated and easy to trace with the threat actor actively updating the plugins up to five hours before detection. The infection method remains unknown, prompting the team to continue their investigation and develop malware signatures for detection.

Users with these plugins installed should consider their sites compromised and take immediate action by removing the affected plugins, checking for unauthorized administrative accounts, and conducting a comprehensive malware scan.

Impact

• Exposure of Sensitive Data
• Code Injection
• Privilege Escalation
• Unauthorized Access

Affected Vendors

Remediation

• Upgrade to the latest version of Plugin for WordPress, available from the WordPress Plugin Directory.
• Check your WordPress administrative user accounts and delete any unauthorized accounts.
• Run a complete malware scan with the Wordfence plugin or Wordfence CLI and remove any detected malicious code.
• Refer to Wordfence’s full guide for cleaning your WordPress site for detailed cleanup instructions.
• Enhance the security of your WordPress site by implementing two-factor authentication.
• Keep your WordPress core and all installed plugins up to date.
• Conduct regular security audits of your WordPress site.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications updated with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Review and secure website code to prevent open redirect vulnerabilities.
• Educate all site administrators about security best practices and the potential risks associated with phishing emails, fake security advisories, and malicious plugins.