WordPress.org plugins created admin backdoors

This campaign compromised WordPress plugins at the source: the official WordPress.org plugin repository. Site owners did not have to install a lookalike plugin or download from a third-party site. Updating a trusted plugin was enough.

Wordfence first saw Social Warfare on June 24, 2024 after a WordPress.org Plugin Review Team forum post, then found four more plugins with similar injected code. The earliest known injection dated to June 21, and the attacker was still making plugin updates hours before Wordfence published.

The injected PHP attempted to create new administrator accounts named Options or PluginAuth, then sent the credentials to 94.156.79.8. The attacker also injected footer JavaScript that added SEO spam across affected sites.

The useful lesson is the distribution boundary. WordPress.org plugin updates are a normal maintenance workflow, so a malicious commit in that channel can reach sites without any phishing, typosquatting, or manual upload by the site owner.

This campaign record carries the shared method and indicators. The individual plugin records carry the package names, affected versions, and specific WordPress.org distribution paths.

Actor

Third Party

Attribution

Group

Cause

Unknown

• wp-blaze-widget 2.2.5, 2.5.2
• wp-contact-form-7-multi-step 1.0.4, 1.0.5
• wp-simply-show-hooks 1.2.1
• wp-social-warfare 4.4.6.4, 4.4.7.1
• wp-wrapper-link-element 1.0.2, 1.0.3

• Multiple WordPress Plugins Compromised at the Sourcewordfence.com
• Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Pluginswordfence.com