A cyberattack on WordPress sites has taken place. The attacker modified the source code of at least five plugins hosted on WordPress.org to include malicious PHP scripts that create new accounts with administrative privileges on websites that use them. This was reported by Bleeping Computer.
The attack was detected by the Wordfence Threat Intelligence team, but it took place on June 21 and 22.
As soon as Wordfence discovered the vulnerability, the company notified plugin developers, which resulted in patches for most of these plugins being released on June 24.
Together, these five plugins have been installed on more than 35,000 websites:
- Social Warfare 4.4.6.4 до 4.4.7.1 (fixed in version 4.4.7.3)
- Blaze Widget 2.2.5 до 2.5.2 (fixed in version 2.5.4)
- Wrapper Link Element 1.0.2 до 1.0.3 (fixed in version 1.0.5)
- Contact Form 7 Multi-Step Addon 1.0.4 - 1.0.5 (fixed in version 1.0.7)
- Simply Show Hooks 1.2.1 - 1.2.2 (the patch is not yet ready)
Wordfence notes that it does not know how the attacker gained access to the source code of the plugins, but is investigating.
While it is possible that the attack affects more WordPress plugins, current evidence suggests that the compromise is limited to the aforementioned set of five plugins.
Malicious code in infected plugins tries to create new administrator accounts and inject SEO spam into the compromised website.
“In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website.”
The data is transmitted to the IP address 94.156.79[.]8, and the arbitrarily created administrator accounts are called "Options" and "PluginAuth," the researchers say.
Website owners who have noticed such accounts or traffic to the attacker's IP address should check their resources.