On June 24th, 2024, Wordfence reported a concerning discovery: multiple WordPress plugins were injected with malicious code. Wordfence’s investigation revealed that several plugins, including Social Warfare and Blaze Widget, were compromised. These plugins are essential for many websites, making their compromise particularly concerning for businesses that rely on WordPress for their online presence.

The injected malware creates a new administrative user account and sends those details to a server controlled by the attacker. Additionally, malicious JavaScript is inserted into the website footer, which adds SEO spam throughout the site. The malware is not heavily obfuscated and contains comments, making it easy to follow. The earliest known injection occurred on June 21st, 2024, with recent updates made as recently as 5 hours prior to detection.

The compromised plugins are as follows:

  • Social Warfare 4.4.6.4 – 4.4.7.1
    • Patched Version: 4.4.7.3
  • Blaze Widget 2.2.5 – 2.5.2
    • Patched Version: None
  • Wrapper Link Element 1.0.2 – 1.0.3
    • Patched Version: The latest version is tagged as 1.0.0, lower than the infected versions. Users are advised to remove the plugin until a properly tagged version is released.
  • Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5
    • Patched Version: None
  • Simply Show Hooks 1.2.1
    • Patched Version: None

Indicators of Compromise

  • Server IP Address: 94.156.79.8
  • Usernames of Generated Administrative Accounts: Options, PluginAuth

Prevention and Action:

If you have any of these plugins installed, consider your site compromised and immediately initiate incident response measures. Verify your WordPress administrative user accounts and delete any unauthorized accounts.

Cookie Consent with Real Cookie Banner