Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack

On June 24th, 2024, we became aware of a supply chain attack targeting multiple WordPress plugins hosted on WordPress.org. An attacker was able to successfully compromise five WordPress.org accounts, where the developers were utilizing credentials previously found in data breaches, and commit malicious code to the plugins that would inject new administrative user accounts along with SEO Spam and cryptominers whenever the site owner updates the plugin to the latest version.

Indicators of Compromise

  • The following IP Address is the server IP Address where the malicious attacker is sending the data
    • 94.156.79.8
  • The following are the current known usernames of the administrative user accounts that are being generated
    • Options
    • PluginAuth

While we continue to monitor the situation,  three additional plugins have been have been found which have been injected with malicious code. Two of which were already remediated by the WordPress.org team by the time we saw them, and a third that the Wordfence team discovered and reported to them immediately. At this point, all three plugins have been closed for downloads by the plugins team, and the malicious code has been removed along with the release of new code to nullify the created admin passwords to prevent further infection.

The following are the full list of plugins which have been compromised:

  • WP Server Health Stats (wp-server-stats): 1.7.6
    • Patched Version: 1.7.8
  • Ad Invalid Click Protector (AICP) (ad-invalid-click-protector): 1.2.9
    • Patched Version: 1.2.10
  • PowerPress Podcasting plugin by Blubrry (powerpress): 11.9.3 – 11.9.4
    • Patched Version: 11.9.6
  • Social Warfare 4.4.6.4 – 4.4.7.1
    • Vulnerable versions: 4.4.6.4 to 4.4.7.1
    • Patched version: 4.4.7.2 (malicious code has been removed)
    • Fully patched version: 4.4.7.3  (code to invalidate admin passwords was added)
  • Blaze Widget 2.2.5 – 2.5.2
    • Vulnerable versions: 2.2.5-2.5.2
    • Patched version: 2.5.3 (malicious code has been removed)
    • Fully patched version: 2.5.4 (code to invalidate admin passwords was added)
  • Wrapper Link Element 1.0.2 – 1.0.3
    • Vulnerable versions: 1.0.2-1.0.3
    • Patched version: 1.0.4 (malicious code has been removed)
    • Fully patched version: 1.0.5 (code to invalidate admin passwords was added)
  • Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5
    • Vulnerable versions: 1.0.4-1.0.5
    • Patched version: 1.0.6 (malicious code has been removed)
    • Fully patched version: 1.0.7 (code to invalidate admin passwords was added)
  • Simply Show Hooks 1.2.2
    • Vulnerable version: 1.2.2
    • Patched version: 1.2.1
    • Note: The plugin response team reverted the changes, however the patched version is set to 1.2.1 which is lower than the affected version. It’s unclear if an infected version (1.2.2) was ever officially deployed.

This brings the total up to 8 plugins affecting anywhere up to 116,000 WordPress sites. This time the attacker is utilizing randomized usernames, and is attempting to defunct Wordfence, likely in a poor attempt to evade detection. The attacker-controlled server IP (94.156.79.8) remains the same, however.

If you are a developer with a WordPress.org account, please do an audit of your committers and remove any that are no longer used, ensure all committers are utilizing strong and unique passwords, and enable 2FA and release confirmations as soon as possible so we can prevent more software from being successfully compromised.

If you have any of these plugins installed (we checked and no clients of ProtectYourWP are currently using any of these), you should consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code.

Paid Wordfence users have already received malware signatures to detect this malware. Wordfence free users will receive the same detection after a 30 day delay on July 25th, 2024.  If you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it as soon as possible.

We will continue to monitor the situation and update this post with any changes.

Source and more details: June 24th: https://www.wordfence.com/blog/2024/06/supply-chain-attack-on-wordpress-org-plugins-leads-to-5-maliciously-compromised-wordpress-plugins

June 26th: https://www.wordfence.com/blog/2024/06/developer-accounts-compromised-due-to-credential-reuse-in-wordpress-org-supply-chain-attack

June 28: https://www.wordfence.com/blog/2024/06/3-more-plugins-infected-in-wordpress-org-supply-chain-attack-due-to-compromised-developer-passwords

Posted in Exploit, Vulnerability.