On June 24th, 2024, we became aware of a supply chain attack targeting multiple WordPress plugins hosted on WordPress.org. An attacker was able to successfully compromise five WordPress.org accounts, where the developers were utilizing credentials previously found in data breaches, and commit malicious code to the plugins that would inject new administrative user accounts along with SEO Spam and cryptominers whenever the site owner updates the plugin to the latest version.
While we continue to monitor the situation, we found that three additional plugins have been injected with malicious code today. Two of which were already remediated by the WordPress.org team by the time we saw them, and a third that our team discovered and reported to them immediately. At this point, all three plugins have been closed for downloads by the plugins team, and the malicious code has been removed along with the release of new code to nullify the created admin passwords to prevent further infection.
The following are the three additional plugins that have been compromised:
WP Server Health Stats (wp-server-stats): 1.7.6
Patched Version: 1.7.8
Ad Invalid Click Protector (AICP) (ad-invalid-click-protector): 1.2.9
Patched Version: 1.2.10
PowerPress Podcasting plugin by Blubrry (powerpress): 11.9.3 – 11.9.4
Patched Version: 11.9.6
This brings the total up to 8 plugins affecting anywhere up to 116,000 WordPress sites. This time the attacker is utilizing randomized usernames, and is attempting to defunct Wordfence, likely in a poor attempt to evade detection. The attacker-controlled server IP (94.156.79.8) remains the same, however.
If you are a developer with a WordPress.org account, please do an audit of your committers and remove any that are no longer used, ensure all committers are utilizing strong and unique passwords, and enable 2FA and release confirmations as soon as possible so we can prevent more software from being successfully compromised.
If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code.
Wordfence Premium, Care, and Response users, as well as paid Wordfence CLI users, have malware signatures to detect this malware. Wordfence free users will receive the same detection after a 30 day delay on July 25th, 2024. If you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it as soon as possible.
You can view our full guide to cleaning your WordPress site here, or you can sign up for Wordfence Care or Wordfence Response where we offer complete incident response services for an entire year 24/7/365.
The post 3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords appeared first on Wordfence.