June 25, 2024 at 12:53PM
Multiple plug-ins on WordPress.org were compromised by threat actors, injecting malicious code aimed at granting attackers administrative privileges and enabling further malicious activity. The affected plug-ins, including the popular Social Warfare, have been delisted and are unavailable for download, with a recommendation to remove them immediately and perform a complete malware scan.
After reviewing the meeting notes, the key takeaways are:
1. Multiple plug-ins on WordPress.org have been compromised by a threat actor or actors, allowing them to attain administrative privileges and conduct further malicious activity. This includes the plug-in Social Warfare and several others listed in the notes.
2. The malicious code injected in the compromised plug-ins attempts to create a new administrative user account and sends the details back to an attacker-controlled server. It also injects malicious JavaScript into website footers and adds SEO spam.
3. The attack suggests a larger supply chain attack, with multiple plug-ins being targeted simultaneously, rather than just singular plug-ins with large install bases.
4. Wordfence is actively working on malware signatures to detect compromised plug-ins. In the meantime, users are advised to remove the affected plug-ins from their websites and go into incident-response mode, checking for unauthorized administrative user accounts and running complete malware scans.
5. Wordfence has provided indicators of compromise (IoCs) and a guide on how to clean WordPress-based websites of malicious code.
These key takeaways should help in understanding the severity of the situation and determining the necessary measures to address the security threat posed by the compromised plug-ins.