Summary
A compromise of some WordPress plugins has recently been detected, used by attackers to inject malicious code and exfiltrate sensitive information.
Risk
Estimate of the impact of the vulnerability on the reference community: HIGH/ORANGE (73.07/100)1.
Type
- Remote Code Execution
- Information Leakage
- Privilege Escalation
Description and potential impacts
The Wordfence Threat Intelligence team has recently detected the compromise of some WordPress plugins, within which malicious PHP code has been identified.
In detail, this code would be able to perform the following activities on the impacted instances:
- exfiltrate the user credentials database;
- create administrative users;
- communicate with the C2 server under the control of the attackers;
- insert JavaScript code into the footer of the web pages of the platforms concerned, in order to gain visibility in search engines through the “SEO spam” technique (spamdexing).
For any further information, we recommend consulting the link to the Wordfence security bulletin, present in the References section.
Affected products and versions
The infected plugins detected by security researchers are reported as of now:
- Social Warfare, from version 4.4.6.4 to 4.4.7.1
- Blaze Widget, from version 2.2.5 to 2.5.2
- Wrapper Link Element, versions 1.0.2 and 1.0.3
- Contact Form 7 Multi-Step Addon, versions 1.0.4 and 1.0.5
- Simply Show Hooks, version 1.2.1
Mitigation actions
In line with the statements of security researchers, while waiting for the release of new versions of the plugins, we recommend the timely removal of malicious versions and monitoring the developers’ repositories of the aforementioned plugins.
Finally, we recommend evaluating the verification and implementation – on your security devices – of the Indicators of Compromise (IoC)2 present in the Wordfence security bulletin.
Unique Vulnerability Identifiers
References
https://wordpress.org/support/topic/a-security-message-from-the-plugin-review-team
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of affected software/devices in the reference community.
2By definition, not all indicators of compromise are malicious. This CSIRT has no responsibility for implementing any proactive actions (e.g. blocklisting IoCs) related to the indicators provided. The information contained in this document represents the best understanding of the threat at the time of release.
