Security News > 2024 > June > Compromised plugins found on WordPress.org

An unknown threat actor has compromised five WordPress plugins and injected them with code that creates a new admin account, effectively allowing them complete control over WordPress installations / websites.

The backdoored plugins have collectively been downloaded by 35,000+ WordPress users.

"The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago. At this point we do not know exactly how the threat actor was able to infect these plugins."

"If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode," Wordfence threat analysts advise.

This should include checking for unknown/unauthorized WordPress administrative user accounts and deleting them, running a complete malware scan with the Wordfence plugin or Wordfence CLI, and removing any malicious code or artifacts found.

Wordfence has promised to provide more information as it becomes available and has said they are working on a set of malware signatures to provide detection for these compromised WordPress plugins.

News URL

https://www.helpnetsecurity.com/2024/06/26/compromised-plugins-wordpress/