Thousands of WordPress websites are at risk of being completely taken over by hackers after the update process of multiple plugins was compromised to implement malicious code.
Security researchers at Wordfence, an organization that oversees the security of the world’s largest website building platform, warned that they have so far discovered five plugins whose patch functionality was poisoned.
When users patch these WordPress plugins, they receive a piece of code that creates a new administrator account, whose credentials are then sent to the attackers. Therefore, the threat actors (whose identities have not yet been discovered) are given full and unabated access to the website.
WordPress risks
The plugins are called Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, Contract Form 7 Multi-Step Addon and Simply Show Hooks. Cumulatively, these five plugins have had 36,000 installs, with Social Warfare being by far the most popular (30,000 installs).
At the time of writing, it had not yet been determined how the attackers managed to compromise the patching process for these five plugins. Journalists at Ars Technica I tried contacting the developers but got no response (some didn’t even list contact details on the plugin websites, making communication impossible).
WordPress is generally considered a secure platform for building websites. But it has a rich collection of third-party themes and plugins, many of which are not as protected or maintained as the underlying platform. As such, they are an excellent entry point for threat actors.
Furthermore, the themes and plugins can be either free or commercial, with the former often abandoned or maintained by a single developer/hobbyist. Therefore, WordPress administrators must be very careful when installing third-party additions on their websites, and ensure that they only install the ones they want to use. Finally, they must keep these up to date at all times and keep an eye on news of vulnerabilities.