Last week saw a serious supply chain attack on the WordPress.org plugin repository.

All plugin committer accounts have had a forced password reset and all new plugin releases were paused.

#1 – WordPress.org Supply Chain Attack

A hacker took advantage of breached passwords, that had been re-used by WordPress.org plugin developers.

You read that right. Plugin developers were re-using passwords on their wp.org accounts.

The attacker gained access to several wp.org accounts and published new plugin releases that contained malware code.

If you run any of the following plugins, either update to the newer version manually, or remove them from your WordPress sites:

Social Warfare
Upgrade to v4.4.7.3+

Blaze Widget
Upgrade to v2.5.4+

Wrapper Link Element
Upgrade to v1.0.5+

Contact Form 7 Multi-Step Addon
Upgrade to v1.0.7+

Simply Show Hooks
Upgrade to v1.2.1 (remove 1.2.2!)

WP Server Health Stats
Upgrade to v1.7.8+

Ad Invalid Click Protector
Upgrade to v1.2.10+

PowerPress Podcasting plugin by Blubrry
Upgrade to v11.9.6+

Seo Optimized Images
Upgrade to v2.1.4+

Editor Comment
We’ve a recent article on our blog (see below) about the importance of strong passwords. This is reminder to never reuse passwords and to instead use tools like Password Managers to help you create strong, unique passwords for every service you use.

#2 – Vulnerable: Advanced Custom Field PRO Plugin

With 2+ million free installs, many likely use the Pro edition.

How will I know I’m okay?
Upgrade to v6.3.2+

What’s the risk?
Broken Access Control – unauthorised users can access sensitive data to perform higher-level actions.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#3 – Vulnerable: SEOPress Plugin

XSS with 300,000 installs.

How will I know I’m okay?
Upgrade to v7.8+

What’s the risk?
Severity risk 6.5/10 – XSS – allowing injection of malicious scripts into website that guests may execute.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#4 – Vulnerable: Contact Form 7 Plugin

Potentially 10+ million WP sites with Open Redirection vulnerability.

How will I know I’m okay?
Upgrade to v5.9.5+

What’s the risk?
An unverified redirect URL can send users to a malicious website, causing phishing attacks.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#5 – From our blog: Resolve Your Password Challenges

A strong password is your first line of defense. WP default password settings may not be enough.

More Info →

Thanks for reading, and have a great week!

Paul Goodchild
Shield Security for WordPress