Simply Show Hooks plugin created backdoors

Simply Show Hooks was not the plugin that first raised the alarm. The public WordPress.org Plugin Review Team notice was about Social Warfare; Wordfence used that Social Warfare sample to search for the same pattern and found four more affected plugins, including Simply Show Hooks.

Wordfence listed Simply Show Hooks 1.2.1 as infected and reported no patched version at publication time. That keeps the incident in scope even though the plugin appears to have had no active installations reported publicly; the compromised artifact still sat in the WordPress.org plugin supply chain.

The injected PHP attempted to create administrator accounts named Options or PluginAuth, exfiltrated those details to 94.156.79.8, and added SEO-spam JavaScript in the site footer.

The risk model is the same as the larger campaign but the exposure is narrower. A site owner did not have to fetch a lookalike ZIP from a random domain; if they installed or updated the affected plugin through the repository while the malicious copy was available, the trusted update path could deliver the backdoor.

This page keeps Simply Show Hooks separate because it had a single infected version and an unusual exposure profile. The campaign record carries the shared WordPress.org source-compromise pattern; this record is the inventory handle for the Simply Show Hooks artifact.

Motive

Seo Spam Account Takeover

Attribution

Group

Cause

Malicious Injection

Transitive

No

Actor

Third Party

• Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Pluginswordfence.com
• A Security Message from the Plugin Review Teamwordpress.org
• Changeset 3106767plugins.trac.wordpress.org
• Various Plugins - Injected Backdoorwpscan.com
• WordPress Plugin Simply Show Hooks Malicious Code 1.2.1invicti.com
• Plugins on WordPress.org backdoored in supply chain attackbleepingcomputer.com
• Wordpress Five plug-ins infiltrated with malwareheise.de