Wrapper Link Element plugin created backdoors
Part of the WordPress.org plugins created admin backdoors campaign
Malicious code was injected directly into the Wrapper Link Element plugin repository on WordPress.org.
Story
Wrapper Link Element was another official WordPress.org plugin affected in the June 2024 campaign. The malicious code entered the trusted plugin channel, so the package looked like a normal update to site owners.
Wordfence listed versions 1.0.2 and 1.0.3 as infected. It noted that malicious code appeared removed later, but the available tag was 1.0.0, lower than the infected versions, making normal upgrade behavior awkward.
The shared payload attempted administrator account creation, sent the new credentials to 94.156.79.8, and injected SEO-spam JavaScript. That meant a site could be both backdoored and polluted with attacker-controlled footer content after a routine plugin update.
This record keeps the Wrapper Link Element version range separate from the other plugin artifacts. The version rollback detail matters because cleanup was not a simple upgrade-to-latest workflow at the time Wordfence published.
Affected Artifacts
wp-wrapper-link-element
- Observed
- 2024-06-21 to 2024-06-24
- Compromised Versions
-
- 1.0.2
- 1.0.3
- Fixed
- Not listed
- Evidence
- distribution: wordpress.org/plugins/wrapper-link-element, ip: 94.156.79.8, user: Options, user: PluginAuth
- Wordfence reported that malicious code appeared removed later, but the latest tag was lower than the infected versions, so removal was recommended until a properly tagged safe release existed.
Incident Context
- Motive
- Seo Spam Account Takeover
- Attribution
- Group
- Cause
- Malicious Injection
- Transitive
- No
- Actor
- Third Party
External References
Source record: oss/attacks/wp-wrapper-link-element/meta.yaml