June 25, 2024 at 03:32PM
Threat actor altered WordPress plugins on WordPress.org to insert malicious code, creating new admin accounts and injecting SEO spam. Wordfence discovered the breach and notified developers, resulting in patches for most affected products. The compromised plugins include Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks. Investigation ongoing.
Based on the meeting notes, here are the key takeaways:
– A threat actor modified the source code of at least five plugins hosted on WordPress.org to include malicious PHP scripts that create new accounts with administrative privileges on websites running them.
– The attack was discovered by the Wordfence Threat Intelligence team, and the malicious injections occurred between June 21 and June 22.
– Wordfence notified the plugin developers, resulting in patches being released for most of the products.
– The impacted plugins include Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks.
– The malicious code in the infected plugins attempts to create new admin accounts and inject SEO spam into the compromised website.
– The data is transmitted to the IP address 94.156.79[.]8, and the attacker also injected malicious JavaScript into the footer of websites.
– Website owners with compromised installations are advised to perform a complete malware scan and cleanup.
– Some of the impacted plugins were temporarily delisted from WordPress.org, which may result in users getting warnings even if they use a patched version.
Let me know if you need any further details or if there’s anything else I can assist you with!