Several WordPress plugins have reportedly been backdoored in a cyberattack that gave hackers full access and other malicious functions to any website utilizing these plugins.
According to researchers from the security company Wordfence, malicious code was injected into five WordPress plugins, allowing new administrative user accounts to be created and sending those details back to the controlled server of an attacker.
The compromised plugins are reportedly BLAZE Retail Widget, Social Warfare, Contact Form 7 Multi-Step Addon, Wrapper Link Elementor, and Simply Show Hooks.
WordPress is a web content management system. Although it was first developed as a platform for blogging, it has since evolved to enable the publication of other digital content. The report claimed that a supply-chain attack of unknown origins has backdoored WordPress plugins running up to 36,000 websites.
Over the past week, unknown threat actors have been adding harmful features to plugin updates on WordPress.org, the official website for the open-source WordPress content management system.
Once installed, the updates automatically create an attacker-controlled administrative account that allows complete control over the compromised site. They also add content that could manipulate search results.
Attack Origin Unknown
The researchers are currently looking into the malware's origins and how it became accessible for distribution through the WordPress plugin channel.
According to the Wordfence researchers, a post on Saturday by a member of the WordPress plugins review team provided the first clue about the attack. After examining the malicious file, the researchers found four more plugins had the same kind of malware inside them.
Attacks on WordPress This Year
WordPress websites have already been the target of several attacks this year. Last January 12, over 6,700 WordPress websites were infected by a sophisticated cyber campaign that used the infamous Balada Injector malware.
This coordinated attack, which Dr. Web researchers first discovered, started mid-December and focused on WordPress themes and add-on exploits. It was revealed that since 2017, Balada Injector has been carrying out a massive operation that compromised more than 17,000 WordPress websites.
At the time, the assailants carefully inserted a backdoor into hacked websites, sending users to phony help pages, lottery scams, and push notification frauds.
The most recent campaign surfaced on December 13, 2023, shortly after the discovery of CVE-2023-6000, a cross-site scripting (XSS) vulnerability impacting Popup Builder versions 4.2.3 and below.
Popup Builder, used on 200,000 sites to create personalized popups, became the primary target for abuse. Leading website security provider Sucuri discovered that Balada Injector had quickly integrated an attack on the disclosed vulnerability.
Cybersecurity experts claimed that the attackers cleverly modified Popup Builder's "sgpbWillOpen" event to cause malicious JavaScript code to run in the site's database when the popup was activated.
In addition to taking advantage of Popup Builder, the threat actors used a secondary infection technique. They altered the wp-blog-header.php code to introduce the same backdoor made of JavaScript into the affected websites.
Related Article : CDK Systems Cyberattack Disrupts US Auto Dealers, Hackers Demand Ransom