Last updated on
WordPress.org and Wordfence have issued alerts regarding hackers injecting malicious code into plugins directly at the source, resulting in widespread infections through updates.
Typically, a plugin vulnerability allows attackers to compromise individual sites using that plugin version. However, in these cases, the compromises differ as the plugins themselves are not vulnerable. Attackers are instead injecting malicious code directly at the source of the plugin, triggering updates that spread to all affected sites.
Wordfence initially identified malicious code in one plugin and subsequently found four other compromised plugins with similar malicious injections. They promptly alerted WordPress to these discoveries by adding the details to their database.
Wordfence provided specifics on the affected plugins:
WordPress promptly deactivated all five plugins from its official repository and posted notifications on their respective plugin pages stating they are temporarily closed and unavailable.
The compromised plugins create unauthorized admin accounts that communicate with a remote server. Affected websites are modified with SEO spam links added to the footer. Advanced malware can be challenging to detect because attackers deliberately obscure their code, often encoding it to appear as numeric strings. However, Wordfence pointed out that this particular malware lacks sophistication and is straightforward to identify and trace.
Wordfence highlighted an interesting aspect of this malware:
“The injected malicious code is relatively unsophisticated and minimally obfuscated, with comments scattered throughout for clarity. The earliest instance of injection seems to date back to June 21st, 2024, and the threat actor was actively updating plugins as recently as 5 hours ago.”
According to the WordPress advisory, attackers have been targeting plugin developers with “committer access,” which allows them to commit code directly to the plugin. They first identify developers with such access, then utilize credentials obtained from other data breaches to gain unauthorized entry at the code level and inject malicious code.
WordPress clarified:
“Between June 23 and 24, 2024, an attacker compromised five WordPress.org user accounts using username and password combinations previously leaked in other website breaches. The attacker leveraged access to these accounts to push malicious updates to five plugins associated with those users who had committer access.
…The affected plugins have since received security updates from the Plugins Team to safeguard user security.”
The responsibility for these compromises appears to stem from the security practices of the plugin developers. In response, WordPress issued an official reminder to plugin developers about adopting best security practices to prevent such incidents from occurring in the future.
Currently, there are only five plugins identified with this specific malicious code compromise. According to Wordfence, hackers are creating admin accounts using usernames like “Options” or “PluginAuth.” To verify if a site has been compromised, it’s advised to check for any new admin accounts, particularly those with these usernames.
Wordfence suggests that affected sites using any of these five plugins should delete any unauthorized administrator-level accounts and conduct a malware scan using the Wordfence plugin to remove the malicious code.
Responding to a query in the comments about concerns for plugins not among the identified five, Chloe Chamberland, Wordfence’s Threat Intelligence Lead, reassured users, stating, “At this time, it seems to be limited to those specific 5 plugins, so there’s likely no need for extensive worry about other plugin updates.” However, she recommended caution by reviewing the change-sets of any plugin updates before applying them to ensure they do not contain malicious code.
Additionally, two other commenters reported discovering rogue admin accounts on their sites, even though they didn’t use any of the known affected plugins. It remains uncertain if other plugins might also be affected at this juncture.
Original news from SearchEngineJournal