Update #1: As of 12:36PM EST, another plugin has been infected.
We've updated the list below to include this fourth plugin and the plugins team has been notified.
Update #2: As of 2:20 PM EST, two more plugins appear to have malicious commits the releases have not officially been made meaning no sites should be affected currently.
We've updated the list below to include these additional plugins and the plugins team has been notified.
Update #3: As of 4:44PM EST, only one more plugin has received malicious commits, and again the release was not officially made meaning no sites should be affected.
We've updated the list below to include this additional plugin and the plugins team has been notified.
At this point the WordPress.org team is holding any further plugin releases and is ensuring only non-malicious releases are made.
On June 24th, 2024, we became aware of a supply chain attack targeting multiple WordPress plugins hosted on WordPress.org.
An attacker was able to successfully compromise five WordPress.org accounts, where the developers were utilizing credentials previously found in data breaches, and commit malicious code to the plugins that would inject new administrative user accounts along with SEO Spam and cryptominers whenever the site owner updates the plugin to the latest version.
While we continue to monitor the situation, we found that three additional plugins have been injected with malicious code today.
At this point, all three plugins have been closed for downloads by the plugins team, and the malicious code has been removed along with the release of new code to nullify the created admin passwords to prevent further infection.
This brings the total up to 8 plugins affecting anywhere up to 116,000 WordPress sites.
The following is a list of plugins where the attacker was able to make a malicious commit by compromising a committer's account, but was unsuccessful in releasing the update.
No sites running the following plugins should be affected.
Twenty20 Image Before-After: Pre-release versions 1.6.2, 1.6.3, 1.5.4 Patched Version: Vulnerable version was never officially released no patched version is required.
WPCOM Member: Pre-release versions 1.3.16, 1.3.15 Patched Version: Vulnerable version was never officially released no patched version is required.
If you are a developer with a WordPress.org account, please do an audit of your committers and remove any that are no longer used, ensure all committers are utilizing strong and unique passwords, and enable 2FA and release confirmations as soon as possible so we can prevent more software from being successfully compromised.
If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode.
We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code.
If you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it as soon as possible.
This Cyber News was published on www.wordfence.com. Publication date: Fri, 28 Jun 2024 15:43:06 +0000