WordPress Plugin Vulnerabilities

Various Plugins - Injected Backdoor

Description

Several plugins hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised their source code and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server.

Affects Plugins

Plugin icon
blaze-widget
Fixed in 2.5.4
Plugin icon
contact-form-7-multi-step-addon
Fixed in 1.0.7
Plugin icon
simply-show-hooks
No known fix
Plugin icon
social-warfare
Fixed in 4.4.7.3
Plugin icon
wrapper-link-elementor
Fixed in 1.0.5
Plugin icon
ad-invalid-click-protector
Fixed in 1.2.11
Plugin icon
britetechs-companion
Fixed in 2.2.8
Plugin icon
powerpress
Fixed in 11.9.6
Plugin icon
seo-optimized-images
Fixed in 2.1.4
Plugin icon
wp-server-stats
Fixed in 1.7.8

References

CVE
CVE-2024-6297
URL
https://www.wordfence.com/blog/2024/06/supply-chain-attack-on-wordpress-org-plugins-leads-to-5-maliciously-compromised-wordpress-plugins/
URL
https://www.wordfence.com/blog/2024/06/3-more-plugins-infected-in-wordpress-org-supply-chain-attack-due-to-compromised-developer-passwords/
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/56d24bc8-4a1a-4e60-aec5-960703a6058a

Miscellaneous

Verified
Yes
WPVDB ID
2c9eb68a-bf19-42df-9c71-f85c440225bc

Timeline

Publicly Published
2024-06-24 (about 1 year ago)
Added
2024-06-25 (about 1 year ago)
Last Updated
2024-07-05 (about 1 year ago)

Other

Published
Title
Published
2014-07-29
Title
Beefbind - BeEF RCE Plugin
Published
2017-12-28
Title
WP No External Links 4.2.1-4.2.2 - Backdoored
Published
2026-04-07
Title
Smart Slider 3 Pro 3.5.1.35 - Compromised Plugin
Published
2025-07-11
Title
GravityForms 2.9.11.1 / 2.9.12 - Malware Compromise
Published
2017-12-28
Title
No Follow All External Links 2.1.0-2.3.0 (current) - Backdoored