Wordpress: Five plug-ins infiltrated with malware
IT security researchers have discovered the same malware in five WordPress plug-ins. There is only an update for one of them.
(Image: Postmodern Studio/Shutterstock.com)
IT researchers from Wordfence have detected the same malicious code in five plug-ins for the Wordpress content management system. Only one of the affected plug-ins has an update that removes the malware. The other plug-ins should be uninstalled.
In a blog post, Wordfence writes that on Monday of this week, the Social Warfare plug-in attracted attention through a forum post in which the Wordpress Plug-in Review Team reported that malicious code had been injected there on Saturday. Upon investigating the plug-in, Wordfence IT researchers found four other plug-ins that contained the malicious code in question.
Malicious code creates administrator accounts in Wordpress
A malicious actor has compromised the source code of various plug-ins and injected code that exfiltrates database credentials and is used to create new, malicious administrator accounts and send this data to a server. Wordfence writes this in the CVE entry for the vulnerability(CVE-2024-6297, no CVSS value and no risk rating yet). In the blog post, the IT researchers add that malicious JavaScript code apparently also ends up in the footer of the websites, which injects SEO spam into the page.
The following plug-ins are infected with the malware:
- social-warfare, version 4.4.6.4 - 4.4.7.1, 30,000+ installations
- blaze-widget, version 2.2.5 - 2.5.2, 60+ installations
- wrapper-link-elementor, version 1.0.2 - 1.0.3, 1000+ installations
- contact-form-7-multi-step-addon, version 1.0.4 - 1.0.5, 700+ installations
- simply-show-hooks, version 1.2.1, no active installations.
There is a patched version of Social Warfare, 4.4.7.3 should be fixed. In Wrapper Link Element, according to Wordfence, someone seems to have removed the malicious code, but the latest available version is 1.0.0, whose version number is lower than that of the infected versions. Website operators should therefore uninstall the plug-ins without an available update.
Wordpress has now blocked the download of the plug-ins. Anyone who has installed the plug-ins must consider their instance to be compromised and should take emergency measures to contain IT security incidents. This includes checking for administrator accounts in Wordpress and deleting unauthorized accounts and checking the installation for malicious code and removing it if necessary.
Due to the large number of Wordpress plug-ins, IT researchers find some with security vulnerabilities every day. In April, Wordfence employees discovered a vulnerability in the Layerslider plug-in, for example. It was considered critical and allowed attackers to inject their own SQL commands.
(dmk)
