WordPress plugins running on as many as 36,000 websites were backfired in a supply chain attack of unknown origin, security researchers said Monday.
So far, five plugins are known to be affected in the campaign, which was active on Monday morning, researchers at security firm Wordfence said. Over the past week, unknown threats have added malicious features to available plugin updates on WordPress.org, the official site for the open source WordPress CMS software. When installed, the updates automatically create an attacker-controlled administrative account that provides full control over the compromised site. The updates also add content designed for search results.
Poisoning the well
“The injected malicious code is not very sophisticated or highly obfuscated and contains comments throughout, making it easy to trace,” the researchers wrote. “The earliest injection appears to date back to June 21, 2024, and the threat was still actively updating plugins 5 hours ago.”
The five plugins are:
Over the past decade, supply chain attacks have become one of the most effective vectors for installing malware. By poisoning software at the source itself, threat actors can infect large numbers of devices when users do nothing more than run a trusted update or installer. Disaster was narrowly averted earlier this year after a backdoor was discovered planted in the widely used XZ Utils open source code library, which was used by, largely by luck, a week or two before it was scheduled for general release. Examples of other recent supply chain attacks abound.
Researchers are in the process of further investigating the malware and how it became available for download on the WordPress plugin channel. Representatives for WordPress, BLAZE and Social Warfare did not respond to emailed questions. Developer representatives for the remaining three plugins could not be located because they did not provide contact information on their sites.
Wordfence researchers said the first indication they found of the attack was on Saturday from this post by a member of the WordPress Plugin Review team. The researchers analyzed the malicious file and identified four other plugins that were infected with similar code. The researchers also write:
At this point, we know that the injected malware tries to create a new administrative user account and then sends that data back to the server controlled by the attacker. In addition, the threat also appears to have injected malicious JavaScript into the footer of websites, which appears to add SEO spam throughout the website. The injected malicious code is not very complex or heavily obfuscated and contains comments throughout, making it easy to trace. The earliest injection appears to date back to June 21, 2024, and the threat was still actively updating plugins 5 hours ago. At this stage, we don’t know exactly how the threat managed to infect these add-ons.
Anyone who has installed one of these plugins should immediately uninstall it and carefully check their site for newly created admin accounts and malicious or unauthorized content. Sites using the Wordfence Vulnerability Scanner will receive a warning if they run any of the plugins.
The Wordfence post also recommends that people check their sites for links from the IP address 94.156.79.8 and admin accounts with usernames Options or PluginAuth.
