Multiple WordPress plugins have been compromised to inject malicious code that enables the creation of rogue administrator accounts, allowing attackers to perform arbitrary actions.
“The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server,” Wordfence security researcher Chloe Chamberland stated in an alert on Monday. Additionally, the threat actor injected malicious JavaScript into the website footers to add SEO spam throughout the site.
The admin accounts, created with usernames “Options” and “PluginAuth,” have their details exfiltrated to the IP address 94.156.79[.]8. The method used by the attackers to compromise the plugins is still unknown, but the earliest indications of this software supply chain attack date back to June 21, 2024.
The affected plugins, which are no longer available for download from the WordPress plugin directory pending review, include:
Social Warfare 4.4.6.4 – 4.4.7.1 (Patched version: 4.4.7.3) – 30,000+ installs
Blaze Widget 2.2.5 – 2.5.2 (Patched version: N/A) – 10+ installs
Wrapper Link Element 1.0.2 – 1.0.3 (Patched version: N/A) – 1,000+ installs
Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (Patched version: N/A) – 700+ installs
Simply Show Hooks 1.2.1 (Patched version: N/A) – 4,000+ install
Users of these plugins are advised to inspect their sites for suspicious administrator accounts and delete them, as well as remove any malicious code.