WordPress Plugins Hit by Widespread Supply Chain Attack

Home » WordPress Plugins Hit by Widespread Supply Chain Attack
WordPress Plugins Hit by Widespread Supply Chain Attack

A threat actor, or possibly multiple actors, has breached several plugins on the WordPress.org platform. These plugins have been compromised with code designed to grant attackers administrative privileges and facilitate additional malicious activities.

On Monday, the WordPress.org Plug-in Review team alerted users through a forum post that the “Social Warfare” plugin had been contaminated with harmful code. After noticing the post, Wordfence researchers investigated further and identified that multiple other plugins on WordPress.org had also been injected with the same malicious code. Wordfence detailed their findings in a blog post published on June 24.

In addition to the Social Warfare plugin (versions 4.4.6.4 and 4.4.7.1), other affected plugins include: Blaze Widget (versions 2.2.5 to 2.5.2), Wrapper Link Element (versions 1.0.2 to 1.0.3), Contact Form 7 Multi-Step Addon (versions 1.0.4 to 1.0.5), and Simply Show Hooks (version 1.2.1).

Among these, Social Warfare, which focuses on social media integration, has the largest user base with over 30,000 installations. The other plugins have only a few hundred installations each. Still, the discovery of identical malicious code across these plugins indicates a potential large-scale supply chain attack, as noted by Wordfence.

Social Warfare has been patched in version 4.4.7.3. However, this plugin, along with all other affected plugins, has been delisted and is temporarily unavailable for download. WordPress.org has not responded to Wordfence’s inquiries about this issue.

None of the other plugins currently have patched versions. However, the malicious code has been removed from the Wrapper Link Element in a new version tagged as 1.0.0, which is lower than the infected versions. This discrepancy may make it difficult for users to update, according to Wordfence.

Malicious Activity Identified

The injected code in these compromised plugins “attempts to create a new administrative user account and then transmits those credentials to an attacker-controlled server” at the IP address 94.156.79.8, according to Chloe Chamberland, Wordfence’s threat intelligence lead. Additionally, the campaign leverages the infected plugins to embed malicious JavaScript into the website’s footer and scatter SEO spam across the site, Chamberland noted.

Chamberland further remarked that “the injected malicious code is neither sophisticated nor heavily obfuscated, and it includes comments throughout, making it straightforward to analyze.”

The attack likely originated on June 21, with attackers continuing to modify the plugins up to five hours before Wordfence released its report on June 24. The precise method of infection remains unclear, and Wordfence researchers are conducting a deeper investigation to uncover more details, according to Chloe Chamberland. Updates on the findings will be provided as their analysis progresses.

Mitigating WordPress Plugin Attacks

Given WordPress’s extensive use as a website platform, its plugins are frequently targeted by cyber attackers due to the broad and accessible attack surface they provide. Traditionally, attackers have focused on individual plugins with large user bases. However, Wordfence’s recent findings indicate a shift towards more ambitious supply chain attacks that exploit multiple plugins simultaneously, potentially amplifying the scope and impact of these malicious campaigns.

In response to this escalating threat, Wordfence, which specializes in WordPress security, is developing a set of malware signatures to help detect these compromised plugins. Meanwhile, users of the affected plugins should immediately remove them from their websites and initiate incident response procedures, advises Chloe Chamberland from Wordfence.

Chamberland recommends that website administrators “review their WordPress user accounts and delete any unauthorized ones, and conduct a thorough malware scan to eradicate any injected malicious code.”

Wordfence’s post also provided a range of indicators of compromise (IoCs) to help WordPress administrators detect signs of this campaign. These IoCs include known usernames linked to attacker-controlled admin accounts. Additionally, the post features a link to a guide offering detailed instructions on how to remove malicious code from WordPress-based websites.

Mitigate cyber threats effectively with Keplersafe's expert solutions.