An unknown threat actor has compromised five (and possibly more) WordPress plugins and injected them with code that creates a new admin account, effectively allowing them complete control over WordPress installations / websites.
“In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website,” Wordfence researchers noted.
The backdoored plugins have collectively been downloaded by 35,000+ WordPress users. They are:
“The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow,” the Wordfence Threat Intelligence team said on Monday.
“The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago. At this point we do not know exactly how the threat actor was able to infect these plugins.”
Since then, all except the last plugin have been updated by their developers (presumably), though the new versions cannot currently be downloaded because WordPress.org blocked the option, “pending a full review”.
“If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode,” Wordfence threat analysts advise.
This should include checking for unknown/unauthorized WordPress administrative user accounts and deleting them, running a complete malware scan with the Wordfence plugin or Wordfence CLI, and removing any malicious code or artifacts found.
For example, as one commenter discovered, “the maliciously added aministrators accounts [have been] replicated in matomo’s wp_matomo_user table.”
Wordfence has promised to provide more information as it becomes available and has said they are working on a set of malware signatures to provide detection for these compromised WordPress plugins.