3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords

Update #1: As of 12:36PM EST, another plugin has been infected. We’ve updated the list below to include this fourth plugin and the plugins team has been notified.

Update #2: As of 2:20 PM EST, two more plugins appear to have malicious commits, however, the releases have not officially been made meaning no sites should be affected currently. We’ve updated the list below to include these additional plugins and the plugins team has been notified. 

Update #3: As of 4:44PM EST, only one more plugin has received malicious commits, and again the release was not officially made meaning no sites should be affected. We’ve updated the list below to include this additional plugin and the plugins team has been notified. At this point the WordPress.org team is holding any further plugin releases and is ensuring only non-malicious releases are made.

Final update for this post. WordPress.org has taken preventative steps to ensure no more plugins will be updated with malicious code, and the WordPress Project has provided us with the following quote:

“Following the reporting from Wordfence and others, the Plugin, Security, and Meta teams collaborated on immediate steps to mitigate any ongoing risk for the WordPress community. There is a hold on additional plugin releases, mitigation efforts were targeted to most likely affected accounts first, and outreach to remaining plugin authors is underway. A timeline is being set for a return to updates.” ~ WordPress Project


On June 24th, 2024, we became aware of a supply chain attack targeting multiple WordPress plugins hosted on WordPress.org. An attacker was able to successfully compromise five WordPress.org accounts, where the developers were utilizing credentials previously found in data breaches, and commit malicious code to the plugins that would inject new administrative user accounts along with SEO Spam and cryptominers whenever the site owner updates the plugin to the latest version.

While we continue to monitor the situation, we found that three additional plugins have been injected with malicious code today. Two of which were already remediated by the WordPress.org team by the time we saw them, and a third that our team discovered and reported to them immediately. At this point, all three plugins have been closed for downloads by the plugins team, and the malicious code has been removed along with the release of new code to nullify the created admin passwords to prevent further infection.

The following are the three additional plugins that have been compromised:

This brings the total up to 8 plugins affecting anywhere up to 116,000 WordPress sites. This time the attacker is utilizing randomized usernames, and is attempting to defunct Wordfence, likely in a poor attempt to evade detection. The attacker-controlled server IP (94.156.79.8) remains the same, however.

The following is a list of plugins where the attacker was able to make a malicious commit by compromising a committer’s account, but was unsuccessful in releasing the update. No sites running the following plugins should be affected. Please note this section was added after the post was initially published.

  • Pods – Custom Content Types and Fields (pods): Pre-release version 3.2.2
    • Patched Version: Vulnerable version was never officially released, therefore, no patched version is required. If your site is running Pods 3.2.1 or older, your site is safe.
    • Special Note: Plugin author reached out to inform us that they had release confirmations enabled which prevented the release of the malicious version – a great example of how release confirmations can prevent this type of attack from being successful.
  •  Twenty20 Image Before-After (twenty20): Pre-release versions 1.6.2, 1.6.3, 1.5.4
    • Patched Version: Vulnerable version was never officially released, therefore, no patched version is required. If your site is running Twenty20 Image Before-After 1.6.1 or older, your site is safe.
  • WPCOM Member (wpcom-member): Pre-release versions 1.3.16, 1.3.15
    • Patched Version: Vulnerable version was never officially released, therefore, no patched version is required. If your site is running WPCOM Member 1.3.14 or older, your site is safe.

If you are a developer with a WordPress.org account, please do an audit of your committers and remove any that are no longer used, ensure all committers are utilizing strong and unique passwords, and enable 2FA and release confirmations as soon as possible so we can prevent more software from being successfully compromised.

If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code.

Wordfence Premium, Care, and Response users, as well as paid Wordfence CLI users, have malware signatures to detect this malware. Wordfence free users will receive the same detection after a 30 day delay on July 25th, 2024.  If you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it as soon as possible.

You can view our full guide to cleaning your WordPress site here, or you can sign up for Wordfence Care or Wordfence Response where we offer complete incident response services for an entire year 24/7/365.

Did you enjoy this post? Share it!

Comments

No Comments