Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts
Multiple WordPress plugins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts with the aim of performing arbitrary actions.
"The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server," Wordfence security researcher Chloe Chamberland said in a Monday alert.
"In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website."
The admin accounts have the usernames "Options" and "PluginAuth," with the account information exfiltrated to the IP address 94.156.79[.]8.
It's currently not known how the unknown attackers behind the campaign managed to compromise the plugins, but the earliest signs of the software supply chain attack date back to June 21, 2024.
The plugins in question are no longer available for download from the WordPress plugin directory pending ongoing review -
- Social Warfare 4.4.6.4 – 4.4.7.1 (Patched version: 4.4.7.3) - 30,000+ installs
- Blaze Widget 2.2.5 – 2.5.2 (Patched version: N/A) - 10+ installs
- Wrapper Link Element 1.0.2 – 1.0.3 (Patched version: N/A) - 1,000+ installs
- Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (Patched version: N/A) - 700+ installs
- Simply Show Hooks 1.2.1 (Patched version: N/A) - 4,000+ installs
Users of the aforementioned plugins are advised to inspect their sites for suspicious administrator accounts and delete them, in addition to removing any malicious code.
source: TheHackerNews
Free security scan for your website
Top News:
Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware
November 23, 2024Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
November 23, 2024Download: CIS Critical Security Controls v8.1
August 8, 2024