Multiple WordPress plugins have been backdoored to inject malicious code that allows the creation of rogue administrator accounts. These accounts enable attackers to perform arbitrary actions on the compromised websites. The malware attempts to create a new admin account and sends the details to an attacker-controlled server. Additionally, malicious JavaScript is injected into the footer of websites, adding SEO spam throughout the site.
The admin accounts created by the malware have usernames like “Options” and “PluginAuth.” The account information is exfiltrated to the IP address 94.156.79[.]8. It remains unclear how the attackers managed to compromise the plugins, but the earliest signs of the software supply chain attack date back to June 21, 2024.
The affected plugins include Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks. These plugins have been removed from the WordPress plugin directory pending an ongoing review. Users of these plugins are strongly advised to check their websites for suspicious administrator accounts and delete them.
In addition to removing rogue admin accounts, users should also inspect their sites for any injected malicious code. This will help to prevent further exploitation and potential damage to their websites. Keeping plugins updated and monitoring for unusual activity are crucial steps in maintaining website security.
Reference:
