WordPress Supply Chain Attack Spreads Across Multiple Plug-ins

A threat actor or actors has compromised multiple plug-ins on the WordPress.org site with code aimed at giving attackers administrative privileges as well as conducting further malicious activity.

WordPress.org's Plug-in Review team warned users on Monday that a plug-in called Social Warfare was infected by malicious code, according to a forum post. After noticing the post, Wordfence researchers did some follow-up and discovered that there were several more WordPress.org plug-ins injected with the same code, according to a blog post published by Wordfence on June 24.

In addition to Social Warfare, versions 4.4.6.4 and 4.4.7.1, the affected plug-ins include: Blaze Widget v2.2.5 to 2.5.2; Wrapper Link Element v1.0.2 to 1.0.3; Contact Form 7 Multi-Step Addon v1.0.4 to 1.0.5; and Simply Show Hooks v1.2.1.

Of the plug-ins, Social Warfare (a social-media-themed offering) has the most installations, with more than 30,000; the rest reached no more than hundreds at the most. Still, the presence of the same malicious code across all of them should raise alarm bells, as it suggests attempts at a larger supply chain attack, according to Wordfence.

Social Warfare has been patched in version 4.4.7.3; however, it and all of the affected plug-ins have been delisted and are unavailable for download, at least temporarily, though WordPress.org did not respond when Wordfence reached out about its discovery.

None of the other plug-ins currently have a patched version; however, someone has removed the malicious code from Wrapper Link Element in a current version that's been tagged as 1.0.0, which is lower than the infected versions and thus may make it difficult for users to update, according to Wordfence.

Malicious Behavior

The malicious code injected in the plug-ins "attempts to create a new administrative user account and then sends those details back to the attacker-controlled server" located at 94.156.79.8, Wordfence threat intelligence lead Chloe Chamberland wrote in the post. The campaign also uses the plug-ins to inject malicious JavaScript into the footer of websites and to add SEO spam throughout it, she said.

"The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow," Chamberland added.

The origin of the attack was likely June 21, and attackers were still updating plug-ins about five hours before WordFence published its post on the attack on June 24. The researchers still don't know exactly how the infection began, and is performing a deeper analysis with updates to follow, she said.

Mitigating Attacks Via WordPress Plug-Ins

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Typically, attackers target singular plug-ins with large install bases; however, the new attack suggests that attackers now may be eyeing more ambitious supply chain attacks across multiple plug-ins to broaden the impact of malicious campaigns, according to Wordfence.

As such an attack demands greater vigilance, Wordfence — which focuses on the security of the WordPress platform — is actively working on a set of malware signatures to provide detection for these compromised plug-ins. In the meantime, anyone using any of the plug-ins should remove them from any websites immediately and "go into incident-response mode," Chamberland said.

"We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan" to remove any malicious code, she said.

Wordfence also included in the post various indicators of compromise (IoCs) — including known usernames associated with attacker-controlled admin accounts — that WordPress administrators can use to identify evidence of the campaign. Also included is a link to a guide that provides advice on how to clean WordPress-based websites of malicious code.