Several WordPress extensions have been infiltrated to implant malicious code, enabling the creation of unauthorized administrative accounts for executing arbitrary actions.
“The implanted malware endeavors to generate a novel administrative user profile and subsequently transmits this data to a server controlled by the attacker,” disclosed Wordfence security analyst Chloe Chamberland in a notification issued on Monday.
Furthermore, evidence suggests the threat actor injected harmful JavaScript into the website footer, seemingly designed to proliferate SEO spam across the site.
The administrative accounts identified bear the usernames “Options” and “PluginAuth,” with extracted account details linked to IP address 94.156.79[.]8.
The method by which the unidentified attackers orchestrated the compromise of these extensions remains undisclosed. The earliest indicators of this software supply chain attack trace back to June 21, 2024.
Pending ongoing scrutiny, the affected plugins are currently unavailable for download from the WordPress plugin directory:
- Social Warfare 4.4.6.4 – 4.4.7.1 (Revised version: 4.4.7.3) – Over 30,000 installations
- Blaze Widget 2.2.5 – 2.5.2 (Revised version: N/A) – Installed on fewer than 10 sites
- Wrapper Link Element 1.0.2 – 1.0.3 (Revised version: N/A) – Over 1,000 installations
- Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (Revised version: N/A) – Over 700 installations
- Simply Show Hooks 1.2.1 (Revised version: N/A) – Over 4,000 installations
Users of these aforementioned extensions are urged to scrutinize their websites for any suspicious administrative profiles and expunge them, along with removing any malicious code detected.