Considering that many MSSPs and MSPs manage WordPress sites for their customers, news of a malware injection into five WordPress plugins raises concern about the vulnerability of this common website content creation software.
The software supply chain attack backdoors malicious code that makes it possible to create rogue administrator accounts, with the aim of performing arbitrary actions, The Hacker News reports. The break-in established malicious admin accounts with the "Options" and "PluginAuth" usernames, enabling the exfiltration of account details to the IP address 94.156.79[.]8.
Attackers also conducted malicious JavaScript code injections to infect targeted websites with search engine optimization spam, Defiant’s Wordfence security researcher Chloe Chamberland blogged. All of the affected plugins have already been removed from the WordPress plugin directory. Only Social Warfare has issued a new version addressing the issue. Immediate deletion of the plugins has also been recommended to website admins.
Now, on top of malware, a new credit card skimmer “Caesar Cipher Skimmer” is infecting multiple content management platforms, including WordPress, Magento and OpenCart, Ben Martin of Securi reports.
Fixing the Problem
The plugins in question are no longer available for download from the WordPress plugin directory pending ongoing review. Wordfense offers a full guide to cleaning your WordPress site and associated patches.
Wordfense lists the infected plugins:
- Social Warfare 4.4.6.4 – 4.4.7.1; Patched Version: 4.4.7.3
- Blaze Widget 2.2.5 – 2.5.2; Patched Version: None
- Wrapper Link Element 1.0.2 – 1.0.3; Patched Version. It appears that someone removed the malicious code, however, the latest version is tagged as 1.0.0 which is lower than the infected versions. This means it may be difficult to update to the latest version. Removing the plugin until a properly tagged version is released is recommended.
- Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5; Patched Version, None
- Simply Show Hooks 1.2.1; Patched Version, None
The Wordfence Threat Intelligence team is performing a deeper analysis and will provide more information as it becomes available.
“We are actively working on a set of malware signatures to provide detection for these compromised plugins,” Chamberland said. “However, if you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it ASAP.”
Supply Chain Attacks Rise 633%
The Word Press attack brings to light new research from Sonatype’s 9th Annual State of the Software Supply Chain Report, which uncovered a whopping 633% increase in software supply chain attacks.