Latest Cyber Security News

You are here: Home / General Cyber Security News / Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts
June 25, 2024

Multiple WordPress plugins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts with the aim of performing arbitrary actions.

“The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server,” Wordfence security researcher Chloe Chamberland said in a Monday alert.

“In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website.”

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Cybersecurity

The admin accounts have the usernames “Options” and “PluginAuth,” with the account information exfiltrated to the IP address 94.156.79[.]8.

It’s currently not known how the unknown attackers behind the campaign managed to compromise the plugins, but the earliest signs of the software supply chain attack date back to June 21, 2024.

The plugins in question are no longer available for download from the WordPress plugin directory pending ongoing review –

  • Social Warfare 4.4.6.4 – 4.4.7.1 (Patched version: 4.4.7.3) – 30,000+ installs
  • Blaze Widget 2.2.5 – 2.5.2 (Patched version: N/A) – 10+ installs
  • Wrapper Link Element 1.0.2 – 1.0.3 (Patched version: N/A) – 1,000+ installs
  • Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (Patched version: N/A) – 700+ installs
  • Simply Show Hooks 1.2.1 (Patched version: N/A) – 4,000+ installs

Users of the aforementioned plugins are advised to inspect their sites for suspicious administrator accounts and delete them, in addition to removing any malicious code.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *