In the course of an ongoing supply chain attack, a backdoor was introduced into several WordPress plugins

Security researchers said Monday that a supply chain attack of unknown origin left WordPress plugins running on up to 36,000 websites protected via backdoors.

So far, five plugins have been affected by the campaign, which was active as recently as Monday morning, researchers at security firm Wordfence reported. Over the past week, unknown threat actors have added malicious functionality to updates available for the plugins on WordPress.org, the official website of the open-source CMS software WordPress. When installed, the updates automatically create an attacker-controlled administrator account that provides full control over the compromised website. The updates also add content designed to manipulate search results.

Poisoning the well

“The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout, making it easy to track,” the researchers wrote. “The earliest injection appears to date back to June 21, 2024, and the threat actor was actively making updates to plugins as recently as 5 hours ago.”

The five plugins are:

Over the past decade, supply chain attacks have become one of the most effective vectors for installing malware. By poisoning software right at the source, threat actors can infect large numbers of devices when users do nothing more than run a trusted update or installer file. Disaster was narrowly averted earlier this year when a backdoor in the widely used open source code library XZ Utils used by was discovered, largely by luck, a week or two before its planned general release. Examples of other recent supply chain attacks abound.

Researchers are currently continuing to investigate the malware and how it became available for download in the WordPress plugin channel. Representatives from WordPress, BLAZE, and Social Warfare did not respond to emailed questions. Representatives from the developers of the remaining three plugins could not be reached because they did not provide contact information on their websites.

Wordfence researchers said they found the first evidence of the attack on Saturday in this post by a member of the WordPress plugin review team. Researchers analyzed the malicious file and identified four other plugins infected with similar code. The researchers further wrote:

At this point, we know that the injected malware attempts to create a new administrator user account and then sends that data back to the attacker-controlled server. In addition, the threat actor also appears to have injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the site. The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout, making it easy to track. The earliest injection appears to date back to June 21, 2024, and the threat actor was actively making updates to plugins as recently as 5 hours ago. At this point, we do not know exactly how the threat actor was able to infect these plugins.

Anyone who has one of these plugins installed should uninstall it immediately and carefully check their site for recently created administrator accounts and malicious or unauthorized content. Sites that use the Wordfence Vulnerability Scanner will receive a warning if they run one of these plugins.

The Wordfence post also recommended that users check their websites for connections from the IP address 94.156.79.8 and administrator accounts with the usernames “Options” or “PluginAuth.”