Thousands of WordPress websites are at risk of being completely taken over by hackers, after the update process for several plugins was compromised to deploy malicious code.
Security researchers at Wordfence, an organization that monitors the security of the world's largest website building platform, warned that they had so far discovered five plugins whose patching functionality had been poisoned.
When users patch these WordPress plugins, they receive a snippet of code that creates a new administrator account, whose credentials are then sent to attackers. Thus, threat actors (whose identity has not yet been discovered) gain full and uninterrupted access to the website.
WordPress Risks
The addons are called Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, Contract Form 7 Multi-Step Addon, and Simply Show Hooks. Together, these five add-ons have 36,000 installs, with Social Warfare being the most popular by far (30,000 installs).
As of press time, it has not yet been determined how the attackers managed to compromise the patching process for these five plugins. Journalists in Ars Technique I tried contacting the developers, but got no response (some didn't even list any contact information on the plugin websites, making communication impossible).
Wordpress is generally considered a secure website building platform. But it has a large number of third-party themes and plugins, many of which are not as protected or maintained as the underlying platform. As such, they are an excellent entry point for threat actors.
Additionally, themes and plugins can be free to use and commercial, with the former often abandoned or maintained by a single developer/hobbyist. Therefore, WordPress administrators should be very careful when installing third-party plugins on their websites and make sure to only install those they intend to use. Finally, they must keep them updated at all times and be attentive to news about vulnerabilities.
