After the June 24th supply chain attacks on five WordPress plugins, attackers have infected four more plugins with malware. These include WP Server Health, Ad Invalid Click Protector, PowerPress Podcasting plunging by Blubrry, and SEO Optimised Images.
Currently, these plugins have been closed for downloads, and new codes have been released to neutralise the malicious admin passwords, preventing further infections.
These attacks involved successfully infiltrating the plugins accessed using credentials previously exposed in data breaches and then injecting malicious codes into them, creating unauthorised administrative accounts, SEO spam and crypto miners whenever the site owners updated their plugins.
The attack now affects nine plugins, potentially impacting up to 116,000 WordPress sites. The attacker has also employed randomised usernames and attempted to disable Wordfence, a popular WordPress security plugin, to evade detection.
Despite these efforts, researchers discovered that the attacker’s server IP (94.156.79.8) has remained constant, aiding in tracking their activities.
The compromised plugins and their patched versions are as follows:
- WP Server Health Stats (wp-server-stats): Version 1.7.6, patched to 1.7.8
- Ad Invalid Click Protector (AICP) (ad-invalid-click-protector): Version 1.2.9, patched to 1.2.10
- PowerPress Podcasting plugin by Blubrry (powerpress): Versions 11.9.3-11.9.4, patched to 11.9.6
- SEO Optimised Images (seo-optimised-images): Version 2.1.2, patched to 2.1.4
Additionally, the attacker compromised accounts for the following plugins but failed to release the malicious updates:
- Pods — Custom Content Types and Fields (pods): Pre-release version 3.2.2
- Twenty20 Image Before-After (twenty20): Pre-release versions 1.6.2, 1.6.3, and 1.5.4
- WPCOM Member (wpcom-member): Pre-release versions 1.3.16 and 1.3.15
In these cases, the plugins’ authors had implemented release confirmation, successfully preventing the release of malicious versions.
“If you are a developer with a WordPress.org account, please do an audit of your committers and remove any that are no longer used, ensure all committers are utilising strong and unique passwords, and enable 2FA and release confirmations as soon as possible so we can prevent more software from being successfully compromised,” the researchers noted.
Furthermore, if users have any of the nine plugins installed, they should consider their website compromised. According to cybersecurity experts, they should check their WordPress administrative user accounts and delete any unauthorised entries, conduct a thorough malware scan, and remove any detected malicious code.
In the News: TeamViewer warns that its corporate environment was breached