Multiple WordPress Plugins Compromised: Hackers Create Admin Accounts

Several WordPress plugins have been compromised, with attackers injecting malicious code that enables the creation of unauthorized administrator accounts. These rogue accounts can perform arbitrary actions, posing significant security risks to affected websites.

According to Chloe Chamberland, a security researcher at Wordfence, “The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server.” Additionally, the attackers have injected malicious JavaScript into the website footers, spreading SEO spam throughout the sites.

Affected Plugins and Threat Details

The unauthorized admin accounts have been identified with the usernames “Options” and “PluginAuth.” The exfiltrated account information is sent to the IP address 94.156.79[.]8. The exact method used by the attackers to compromise these plugins is still unknown, but the earliest evidence of the attack dates back to June 21, 2024.

The affected plugins have been removed from the WordPress plugin directory for review. The impacted versions and their installations are as follows:

• Social Warfare (4.4.6.4 – 4.4.7.1) – Patched version: 4.4.7.3 – 30,000+ installs
• Blaze Widget (2.2.5 – 2.5.2) – Patched version: N/A – 10+ installs
• Wrapper Link Element (1.0.2 – 1.0.3) – Patched version: N/A – 1,000+ installs
• Contact Form 7 Multi-Step Addon (1.0.4 – 1.0.5) – Patched version: N/A – 700+ installs
• Simply Show Hooks (1.2.1) – Patched version: N/A – 4,000+ installs

Recommendations for Users

Users of these plugins are strongly advised to:

1. Inspect their websites for any suspicious administrator accounts.
2. Delete any rogue admin accounts immediately.
3. Remove any malicious code found within their site’s footer or other areas.
4. Update to the latest patched versions of the plugins as soon as they are available.

Staying vigilant and proactive is crucial in mitigating the risks posed by such attacks. Regularly monitoring your WordPress site for unusual activities and keeping all plugins updated can help prevent similar security breaches in the future.

Stay Protected with PivIT Strategy

In the wake of these recent security breaches, it’s more important than ever to ensure your WordPress site remains secure. At PivIT Strategy, we specialize in providing comprehensive cybersecurity solutions tailored to meet your unique needs. Here’s how we can help:

• Proactive Monitoring: Our team of experts will continuously monitor your site for any suspicious activities, ensuring that threats are identified and addressed before they can cause harm.
• Vulnerability Management: We perform regular vulnerability assessments and apply patches to keep your plugins and systems up to date, minimizing the risk of exploitation.
• Incident Response: In the event of a security incident, our rapid response team will work quickly to contain the threat, mitigate damage, and restore your site to full functionality.
• Security Training: We offer training for your team on best practices for maintaining site security, helping to build a culture of awareness and preparedness.

Don’t wait until it’s too late. Contact PivIT Strategy today. Our dedicated professionals are here to provide the protection and peace of mind you need in an increasingly complex cybersecurity landscape.