Plugins on WordPress.org vulnerable to supply chain attacks


A threat actor modified the source code of at least five plugins hosted on WordPress.org to include malicious PHP scripts that create new accounts with administrative privileges on websites running them.

The attack was discovered by the Wordfence Threat Intelligence team yesterday, but the malicious injection appears to have taken place late last week, between June 21 and June 22.


As soon as Wordfence became aware of this breach, the company notified plugin developers, resulting in patches being released for most products yesterday.

In total, the five plugins have been installed on over 35,000 websites:

  • Social Warfare 4.4.6.4 to 4.4.7.1 (upgraded to version 4.4.7.3)
  • Blaze Widgets 2.2.5 to 2.5.2 (fixed in version 2.5.4)
  • Wrapper link element 1.0.2 to 1.0.3 (fixed in version 1.0.5)
  • Contact Form 7 Multi-Step Addon 1.0.4 to 1.0.5 (fixed in version 1.0.7)
  • Just show hooks 1.2.1 to 1.2.2 (no fixes available yet)

WordFence said it does not know how the threat actor gained access to the plugins' source code, but that it is investigating.

Although it is possible that this attack affects a larger number of WordPress plugins, current evidence suggests that the compromise is limited to the five plugins mentioned above.

Backdoor operations and IoCs

The malicious code contained in infected plugins attempts to create new admin accounts and inject SEO spam into the infected website.

Wordfence explains, “At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to a server controlled by the attacker.”

“In addition, it appears that the threat actor has also injected malicious JavaScript into the footer of the websites, which adds SEO spam throughout the website.”

Data is transmitted to the IP address 94.156.79[.]”These accounts are classified under 1.1.8, while arbitrarily created admin accounts are named “options” and “pluginAuth,” the researchers say.

Website owners who notice traffic coming from such accounts or the attacker's IP address should perform a full malware scan and cleanup.

“If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode.” – Wordfence.

Wordfence reported that some affected plugins have been temporarily removed from WordPress.org, which may result in users receiving warnings even if they are using the patched version.

Leave a Comment

“The Untold Story: Yung Miami’s Response to Jimmy Butler’s Advances During an NBA Playoff Game” “Unveiling the Secrets: 15 Astonishing Facts About the PGA Championship”