Open Source 2024-06-21 · 3 days ·Account Takeover, Defacement

Contact Form 7 addon created backdoors

Part of the WordPress.org plugins created admin backdoors campaign

Malicious code was injected directly into the Contact Form 7 Multi-Step Addon plugin repository on WordPress.org.

Story

Contact Form 7 Multi-Step Addon was part of the same June 2024 WordPress.org plugin campaign. The compromise sat in the official plugin repository, so normal update behavior delivered the malicious code.

Wordfence identified versions 1.0.4 and 1.0.5 as infected and reported no patched version when it published. The correct response was removal or replacement until a safe release existed.

The shared malware tried to create new administrator users and report credentials to 94.156.79.8. It also placed SEO-spam JavaScript in the site footer, giving the attacker persistence and monetization from the same plugin update.

This record captures the Contact Form 7 add-on artifact, not the whole campaign. The package-level boundary matters because site owners had to search for this specific slug and infected version pair, not merely for any WordPress compromise.

Affected Artifacts

wp-contact-form-7-multi-step

wordpress · repository · Extension

Observed: 2024-06-21 to 2024-06-24
Compromised Versions: 1.0.4

1.0.5
Fixed: Not listed
Evidence: distribution: wordpress.org/plugins/contact-form-7-multi-step-addon, ip: 94.156.79.8, user: Options, user: PluginAuth

Incident Context

Motive: Seo Spam Account Takeover
Attribution: Group
Cause: Malicious Injection
Transitive: No
Actor: Third Party

External References

Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Pluginswordfence.com

Source record: oss/attacks/wp-contact-form-7-multi-step/meta.yaml