Sapath Global June 25, 2024Malicious code injected over the past week in five WordPress plugins creates a new administrative account, WordPress security firm Defiant reports.
Users of Blaze Widget versions 2.2.5 to 2.5.2, Wrapper Link Element versions 1.0.2 and 1.0.3, Contact Form 7 Multi-Step Addon versions 1.0.4 and 1.0.5, and Simply Show Hooks 1.2.1 are advised to remove the plugins and look for rogue administrative accounts on their websites.
All five plugins have been closed by the WordPress team and are no longer available for download.
The infected plugins are open source and have a combined active installation base of over 30,000 sites. According to Defiant, the plugins were likely compromised as part of a supply chain attack.
Source: SecurityWeek.com