WordPress plugins continue to be under attack by hackers using stolen credentials (from other data breaches) to gain direct access to plugin code. What makes these attacks of particular concern is that these supply chain attacks can sneak in because the compromise appears to users as plugins with a normal update.
Supply Chain Attack
The most common vulnerability is when a software flaw allows an attacker to inject malicious code or to launch some other kind of attack, the flaw is in the code. But a supply chain attack is when the software itself or a component of that software (like a third party script used within the software) is directly altered with malicious code. This creates the situation where the software itself is delivering the malicious files.
The United States Cybersecurity and Infrastructure Security Agency (CISA) defines a supply chain attack (PDF):
“A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.
Newly acquired software may be compromised from the outset, or a compromise may occur through other means like a patch or hotfix. In these cases, the compromise still occurs prior to the patch or hotfix entering the customer’s network. These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers.”
For this specific attack on WordPress plugins, the attackers are using stolen password credentials to gain access to developer accounts that have direct access to plugin code to add malicious code to the plugins in order to create administrator level user accounts at every website that uses the compromised WordPress plugins.
Today, Wordfence announced that additional WordPress plugins have been identified as having been compromised. It may very well be the case that there will be more plugins that are or will be compromised. So it’s good to understand what is going on and to be proactive about protecting sites under your control.
More WordPress Plugins Attacked
Wordfence issued an advisory that more plugins were compromised, including a highly popular podcasting plugin called PowerPress Podcasting plugin by Blubrry.
These are the newly discovered compromised plugins announced by Wordfence:
- WP Server Health Stats (wp-server-stats): 1.7.6
Patched Version: 1.7.8
10,000 active installations - Ad Invalid Click Protector (AICP) (ad-invalid-click-protector): 1.2.9
Patched Version: 1.2.10
30,000+ active installations - PowerPress Podcasting plugin by Blubrry (powerpress): 11.9.3 – 11.9.4
Patched Version: 11.9.6
40,000+ active installations - Latest Infection – Seo Optimized Images (seo-optimized-images): 2.1.2
Patched Version: 2.1.4
10,000+ active installations - Latest Infection – Pods – Custom Content Types and Fields (pods): 3.2.2
Patched Version: No patched version needed currently.
100,000+ active installations - Latest Infection – Twenty20 Image Before-After (twenty20): 1.6.2, 1.6.3, 1.5.4
Patched Version: No patched version needed currently.
20,000+ active installations
These are the first group of compromised plugins:
- Social Warfare
- Blaze Widget
- Wrapper Link Element
- Contact Form 7 Multi-Step Addon
- Simply Show Hooks
More information about the WordPress Plugin Supply Chain Attack here.
What To Do If Using A Compromised Plugin
Some of the plugins have been updated to fix the problem, but not all of them. Regardless of whether the compromised plugin has been patched to remove the malicious code and the developer password updated, site owners should check their database to make sure there are no rogue admin accounts that have been added to the WordPress website.
The attack creates administrator accounts with the user names of “Options” or “PluginAuth” so those are the user names to watch for. However, it’s probably a good idea to look for any new admin level user accounts that are unrecognized in case the attack has evolved and the hackers are using different administrator accounts.
Site owners that use the Wordfence free or Pro version of the Wordfence WordPress security plugin are notified if there’s a discovery of a compromised plugin. Pro level users of the plugin receive malware signatures for immediately detecting infected plugins.
The official Wordfence warning announcement about these new infected plugins advises:
“If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code.
Wordfence Premium, Care, and Response users, as well as paid Wordfence CLI users, have malware signatures to detect this malware. Wordfence free users will receive the same detection after a 30 day delay on July 25th, 2024. If you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it as soon as possible.”
Read more:
WordPress Plugins Compromised At The Source – Supply Chain Attack
3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords
Featured Image by Shutterstock/Moksha Labs
