Hackers are increasingly targeting WordPress plugins using stolen login credentials from other data breaches to gain direct access to plugin code. These attacks are particularly concerning because they can appear as normal plugin updates to users, making them difficult to detect.
What is a Supply Chain Attack?
Normally, software vulnerabilities allow attackers to inject malicious code or launch other types of attacks due to flaws in the code. In a supply chain attack, however, the software itself or one of its components (like a third-party script) is directly altered with malicious code. This means the compromised software delivers the harmful files.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) describes a supply chain attack as follows:
“A software supply chain attack happens when a cyber threat actor infiltrates a software vendor’s network and uses malicious code to compromise the software before the vendor sends it to customers. This compromised software can then compromise customer data or systems. Such attacks can affect all users of the compromised software and have widespread consequences for government, critical infrastructure, and private sector customers.”
In the case of WordPress plugins, attackers use stolen passwords to access developer accounts. They then insert malicious code into plugins, creating administrator-level user accounts on any website that uses the compromised plugins.
New Attacks on WordPress Plugins
Wordfence has identified more compromised WordPress plugins, including the popular PowerPress Podcasting plugin by Blubrry. The newly discovered compromised plugins are:
- WP Server Health Stats (wp-server-stats): Version 1.7.6 (Patched in 1.7.8), 10,000 active installations.
- Ad Invalid Click Protector (AICP) (ad-invalid-click-protector): Version 1.2.9 (Patched in 1.2.10), 30,000+ active installations.
- PowerPress Podcasting plugin by Blubrry (powerpress): Versions 11.9.3 – 11.9.4 (Patched in 11.9.6), 40,000+ active installations.
- Seo Optimized Images (seo-optimized-images): Version 2.1.2 (Patched in 2.1.4), 10,000+ active installations.
- Pods – Custom Content Types and Fields (pods): Version 3.2.2, 100,000+ active installations.
- Twenty20 Image Before-After (twenty20): Versions 1.6.2, 1.6.3, 1.5.4, 20,000+ active installations.
Previously compromised plugins include Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks.
Steps to Take if Using a Compromised Plugin
Some compromised plugins have been patched, but not all. Regardless, site owners should check their databases for rogue admin accounts added by the attack. Look for admin accounts with usernames like “Options” or “PluginAuth,” and any other unrecognized admin accounts.
Wordfence users, both free and Pro, are notified if a compromised plugin is detected. Pro users get immediate malware signatures for detection, while free users receive them after 30 days.
The official Wordfence announcement advises:
“If you have any of these plugins installed, consider your site compromised and immediately enter incident response mode. Check your WordPress admin user accounts and delete any unauthorized ones. Run a complete malware scan with the Wordfence plugin and remove any malicious code. Wordfence Premium, Care, and Response users, as well as paid Wordfence CLI users, have malware signatures to detect this malware. Free users will get the same detection after a 30-day delay. If you are running a malicious version of one of the plugins, update the plugin where possible or remove it immediately.”
By staying vigilant and proactive, you can protect your WordPress site from these escalating supply chain attacks.