Ongoing Supply Chain Attack on Plugin Repository

Darko Gjorgjijoski


As of June 24th, an ongoing supply chain attack is targeting the plugin repository. The attacker is releasing infected versions of random WordPress plugins, compromising the security of numerous websites and applications that use those plugins.

The issue has been first reported by WordFence threat intelligence in an article.

While it’s impossible to know the scale of the attack, multiple cases have been recorded shown in Figure 1.

SEO Optimized Images2.1.22024-06-28Patched by
PowerPress Podcasting plugin by Blubrry11.9.42024-06-28Patched by
Ad Invalid Click Protector (AICP)1.2.92024-06-28Patched by
WP Server Health Stats1.7.62024-06-28Patched by
Social Warfare4.4.6.4 – by Author
Blaze Widget2.2.5 – 2.5.22024-06-24Patched by
Wrapper Link Element1.0.2 – 1.0.32024-06-24Patched by
Contact Form 7 Multi-Step Addon1.0.4 – 1.0.52024-06-24Patched by
Simply Show Hooks1.2.12024-06-24Patched by
Figure 1: List of infected sites (source: WordFence & me)

The malicious code injected into the source code of the affected plugins performs several harmful actions:

1. Creation of administrator accounts

The code creates unauthorized admin accounts and sends the login details to a remote source, such as the IP address

2. Injection of malicious code in your theme

It also injects malicious code into the WordPress theme’s functions.php file.

Attack Origins

The origin of the supply chain attack is currently unclear. It may be stemming from compromised developer accounts or an internal security incident, hopefully we will get more details soon.

Attack Response

As a crucial first step, the WordPress Plugin Directory Team temporarily closed the infected plugins to prevent further spread of malicious code.

Suspended WordPress plugin
Figure 2: Suspended WordPress plugin

Next, they proceed with removing the injected malicious code from affected plugins. They are also adding an admin notice to inform users about the issue and the steps taken to address it. This ensures users are aware of the incident and can take any necessary actions to protect their sites.

Figure 3: Development log during attack

Finally the team is tagging patched version on behalf the author.

Prevention Measures

1. Take control of the plugin updates

To prevent your plugins to auto-update malicious version, you need to disable plugin updates for now.

At this point, do not trust the plugin repository and disable auto-updates temporarily by adding the following filter in your website code (specifically in mu-plugins or theme’s functions.php):

add_filter( 'auto_update_plugin', '__return_false' );

2. Install updates manually

To ensure the plugins that you want to update aren’t infected, download the plugin and check the development log on WordPress plugin page or scan it with and only after that upload the plugin to your site.

If you spot any issues or found infected plugin, report it to [email protected].

3. Backup your WordPress install regularly

Regularly back up your sites to ensure you can restore them in case a plugin gets infected through auto-update.

Leave the first comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Secured By miniOrange