A hacker changed the source code of at least five plugins on WordPress.org to add harmful PHP scripts. These scripts create new admin accounts on websites using the plugins.
The Wordfence Threat Intelligence team found the attack yesterday, but it seems to have happened between June 21 and June 22.
When Wordfence found the problem, they told the plugin developers right away. This led to most of the plugins getting updated with fixes yesterday.
The five plugins have been installed on more than 35,000 websites:
- Social Warfare 4.4.6.4 to 4.4.7.1 (fixed in version 4.4.7.3)
- Blaze Widget 2.2.5 to 2.5.2 (fixed in version 2.5.4)
- Wrapper Link Element 1.0.2 to 1.0.3 (fixed in version 1.0.5)
- Contact Form 7 Multi-Step Addon 1.0.4 to 1.0.5 (fixed in version 1.0.7)
- Simply Show Hooks 1.2.1 to 1.2.2 (no fix available yet)
Wordfence says it doesn’t know how the hacker accessed the plugin source code, but an investigation is ongoing.
While more WordPress plugins might be affected, current evidence shows only these five plugins were compromised.
Backdoor operation and IoCs
The harmful code in the infected plugins tries to create new admin accounts and add SEO spam to the website.
“At this stage, we know that the malware tries to create a new admin account and sends those details back to a server controlled by the attacker,” explains Wordfence.
“The attacker also added malicious JavaScript to the website’s footer, which adds SEO spam throughout the site.”
The data is sent to the IP address 94.156.79[.]8, and the fake admin accounts are named “Options” and “PluginAuth,” according to the researchers.
Website owners who notice these accounts or traffic to this IP address should do a full malware scan and cleanup.
“If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode.” –Wordfence.
Wordfence notes that some affected plugins were temporarily removed from WordPress.org, so users might see warnings even if they use a fixed version.
Source: BleepingComputer, Bill Toulas