Thousands of WordPress websites are at risk of being completely taken over by hackers, after the updating process of multiple plugins was compromised to deploy malicious code.
Security researchers from Wordfence, an organization that monitors the security of the world’s biggest website builder platform, warned that they so far discovered five plugins whose patching functionality had been poisoned.
When users patch these WordPress plugins, they receive a piece of code that creates a new admin account, whose credentials are then sent to the attackers. Therefore, the threat actors (whose identity has not yet been discovered) gain full, unabated access to the website.
WordPress risks
The plugins are called Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, Contract Form 7 Multi-Step Addon, and Simply Show Hooks. Cumulatively, these five plugins have 36,000 installs, with Social Warfare being by far the most popular one (30,000 installs).
At press time, it was not yet determined how the attackers managed to compromise the patching process for these five plugins. Journalists at Ars Technica tried reaching out to the developers, but received no answer (some didn’t even list any contact information on the plugin websites making it impossible to communicate).
WordPress is generally considered a secure website building platform. But it has a rich store of third-party themes and plugins, many of which are not as protected, or maintained, as the underlying platform. As such, they are a great entry point for threat actors.
Furthermore, the themes and plugins can be both free-to-use and commercial, and the former ones are often abandoned, or maintained by a single developer/hobbyist. Hence, WordPress administrators should be very careful when installing third-party additions to their websites, and make sure they install only those they are intending to use. Finally, they should keep them updated at all times and keep an eye out for news on vulnerabilities.
