WordPress website administrators, take note! Researchers are urging WordPress users to update their sites with the latest plugin releases due to a recent supply-chain attack on WordPress.org that has compromised at least five different WordPress plugins.
WordPress Plugins Compromised In A Supply-Chain Attack
In a recent article, Wordfence, a WordPress security service, revealed a sophisticated attack on WordPress.org plugins where five plugins were compromised.
The attack involved injecting malicious code into legitimate plugins to target WordPress websites in a supply-chain attack.
Initially, the compromise was detected in the Social Warfare WordPress plugin, which led to the identification of four other infected plugins. These include:
- Social Warfare 4.4.6.4 – 4.4.7.1
- Blaze Widget 2.2.5 – 2.5.2
- Wrapper Link Element 1.0.2 – 1.0.3
- Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5
- Simply Show Hooks 1.2.1
The researchers explained that the malware aims to create rogue admin accounts and share access with attackers. The malware was not obfuscated, making it “easy to follow” due to added comments, according to Wordfence.
Upon discovering the attack, the Wordfence team informed the plugin developers, who then took steps to address the issue and release security patches. It is crucial for all users to update their websites with the latest plugin releases (listed below).
Although the patches have been released, users may not immediately access the patched plugin versions as all five plugins have been temporarily locked for downloads pending a full review. Users should remain vigilant for updates to secure their sites accordingly.
Furthermore, users are advised to check other plugins on their WordPress sites for potential infections and security updates to mitigate the threat.
We welcome your thoughts in the comments section.
