WordPress Plugin Supply Chain Attack Gets Worse

30,000 websites at risk: Check yours  ASAP!

800 Million Ostriches Can’t Be Wrong

What’s the craic? Elizabeth Montalbano reports: WordPress Supply Chain Attack Spreads Across Multiple Plug-ins

“Widespread use”
A threat actor or actors has compromised multiple plug-ins on the WordPress.org site with code aimed at giving attackers administrative privileges as well as conducting further malicious activity. … The affected plug-ins include: Blaze Widget v2.2.5 to 2.5.2; Wrapper Link Element v1.0.2 to 1.0.3; Contact Form 7 Multi-Step Addon v1.0.4 to 1.0.5; … Simply Show Hooks v1.2.1 (and) Social Warfare, versions 4.4.6.4 and 4.4.7.1.
…
Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Typically, attackers target singular plug-ins with large install bases; however, the new attack suggests that attackers now may be eyeing more ambitious supply chain attacks across multiple plug-ins to broaden the impact of malicious campaigns.

Is WordPress insecure, for himself? Sead Fadilpašić is easy for you to say: Thousands of WordPress websites at risk of full takeover

“News on vulnerabilities”
WordPress is generally considered a secure website building platform. But it has a rich store of third-party themes and plugins, many of which are not as protected, or maintained, as the underlying platform. As such, they are a great entry point for threat actors.
…
Themes and plugins can be both free-to-use and commercial, and the former ones are often abandoned, or maintained by a single developer/hobbyist. Hence, WordPress administrators should be very careful when installing third-party additions to their websites, and make sure they install only those they are intending to use. Finally, they should keep them updated at all times and keep an eye out for news on vulnerabilities.

News like this? Here’s Defiant’s Chloe Chamberland: 5 Maliciously Compromised WordPress Plugins

“Malicious code”
The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server. … The threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website. The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow. The earliest injection appears to date back to June 21.
…
Indicators of Compromise …
IP Address where the malicious attacker is sending the data: 94.156.79.8. …
Usernames of the administrative user accounts that are being generated: Options, PluginAuth.
…
At this point it appears to be isolated to just those 5 plugins. … However, out of extra caution, I would recommend reviewing the change-sets of any plugin updates prior to updating them on any sites you run to make sure no malicious code is present.

How big is WordPress? Teconce runs the numbers:

WordPress continues to be a cornerstone of the web. … 6 Amazing Fun Facts about WordPress:
1️⃣ Older Than Facebook & Twitter
2️⃣ Powers 43.4% of Websites
3️⃣ Independent Ownership
4️⃣ Available in 68+ Languages
5️⃣ Love For Jazz
6️⃣ 59,000+ Free Plugins

Popularity breeds contempt, as Quentin Crisp once said. turd gives you time to realize your crime:

By a country mile. So many self-hosted blogs using it out there, so much attack surface. Back when I did hosting support, half my root compromise tickets started with “User installed unknown WordPress add-on xyz.”

Lest we forget, this is another example of a supply-chain attack. Bill Green is not envious:

The supply chain house of cards is gonna come down. I expect the next will be Adobe or something of that ilk.

But is WordPress owner Automattic asleep at the switch? markx2 finds this astonishing:

I find this astonishing. I worked at Automattic … in 2011. … After some bad plugin updating from various sources, Matt (Mullenweg) asked me to start vetting … plugin updates.
…
Lots of reading later I could recognise dodgy code, or code that looked odd. I set up a gmail account that every new plugin commit was sent to, and I create a ton of filters, each looking for certain code. … When something bad happened, I’d review the commits, see the nasty, remove it, update the version, commit to the wporg repo and at the same time take over the account.
…
That was 13 years ago. Why the hell doesn’t WP have a better system?

What can WordPress site owners do? Unremarkable remarks:

When it comes to supply chain attacks, WordPress’s plugin directory is a completely undefended open field. Audit your use of plugins. Audit whether core WordPress already has whatever it is you think requires a plugin (it probably does).
…
Make your WP install directory read-only and not owned by the web server user. Never let plugins auto-update. Wait for Automattic to do something about the mess they’re running. Wait longer. Maybe lock down your wp-content directory too.
…
Continue waiting.
Continue waiting.
Continue waiting.

Meanwhile, a slightly sweary GNUHead draws an extreme conclusion:

Honestly, WordPress is riddled with **** like this. Consider alternatives folks!

And Finally:

Why are some German pedestrian lights weird?

Previously in And Finally

---

You have been reading SB  Blogwatch by Richi  Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @(email protected), @richi.bsky.social or (email protected). Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Anja/cocoparisienne (via Pixabay; leveled and cropped)