Open Source 2024-06-21 · 3 days ·Account Takeover, Defacement

Blaze Widget plugin created backdoors

Part of the WordPress.org plugins created admin backdoors campaign

Malicious code was injected directly into the Blaze Widget plugin repository on WordPress.org.

Story

Blaze Widget was one of the five plugins Wordfence tied to the June 2024 WordPress.org source compromise. The attacker did not create a fake package; the malicious code landed in the official plugin distribution path.

Wordfence listed Blaze Widget versions 2.2.5 through 2.5.2 as infected and reported no patched version at the time of publication. Sites updating through WordPress.org could receive the poisoned plugin.

The shared payload tried to create an administrator account and send credentials to 94.156.79.8. It also injected footer JavaScript for SEO spam, turning a plugin update into both an account-takeover path and a search-spam foothold.

This record keeps the Blaze Widget versions separate from the broader campaign because cleanup depends on the exact plugin slug and version range. The campaign page carries the shared WordPress.org compromise pattern and cross-plugin indicators.

Affected Artifacts

wp-blaze-widget

wordpress · repository · Extension

Observed: 2024-06-21 to 2024-06-24
Compromised Versions: 2.2.5

2.5.2
Fixed: Not listed
Evidence: distribution: wordpress.org/plugins/blaze-widget, ip: 94.156.79.8, user: Options, user: PluginAuth

Incident Context

Motive: Seo Spam Account Takeover
Attribution: Group
Cause: Malicious Injection
Transitive: No
Actor: Third Party

External References

Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Pluginswordfence.com

Source record: oss/attacks/wp-blaze-widget/meta.yaml