Social Warfare plugin created backdoors
Part of the WordPress.org plugins created admin backdoors campaign
Malicious code was injected directly into the Social Warfare plugin repository on WordPress.org.
Story
Social Warfare was the plugin that brought the June 2024 WordPress.org campaign into view. Wordfence learned of the compromise through a WordPress.org Plugin Review Team forum post, then used the malicious file to find four related plugin compromises.
Wordfence listed Social Warfare versions 4.4.6.4 through 4.4.7.1 as infected and 4.4.7.3 as patched. The risk was in the trusted update path: sites pulling plugin updates from WordPress.org received attacker code from the official channel.
The payload tried to create administrator accounts named Options or PluginAuth, sent the details to 94.156.79.8, and injected footer JavaScript for SEO spam. The plugin was later delisted while cleanup proceeded.
Social Warfare is useful as the anchor case because it exposed the campaign pattern. Once defenders understood the admin-user creation and footer injection logic in this plugin, the same indicators led them to the other compromised WordPress.org packages.
Affected Artifacts
wp-social-warfare
- Observed
- 2024-06-21 to 2024-06-24
- Compromised Versions
-
- 4.4.6.4
- 4.4.7.1
- Fixed
- 4.4.7.3
- Evidence
- distribution: wordpress.org/plugins/social-warfare, ip: 94.156.79.8, user: Options, user: PluginAuth
Incident Context
- Motive
- Seo Spam Account Takeover
- Attribution
- Group
- Cause
- Malicious Injection
- Transitive
- No
- Actor
- Third Party
External References
Source record: oss/attacks/wp-social-warfare/meta.yaml