ShieldNOTES Ep#20: WP.org Supply Chain Attack; ACF & CF7 Vulnerabilities; Password Security

July 1, 2024 by Paul G. | Security, ShieldNOTES

Last week saw a serious supply chain attack on the WordPress.org plugin repository.

All plugin committer accounts have had a forced password reset and all new plugin releases were paused.

#1 – WordPress.org Supply Chain Attack

A hacker took advantage of breached passwords, that had been re-used by WordPress.org plugin developers.

You read that right. Plugin developers were re-using passwords on their wp.org accounts.

The attacker gained access to several wp.org accounts and published new plugin releases that contained malware code.

If you run any of the following plugins, either update to the newer version manually, or remove them from your WordPress sites:

Social Warfare
Upgrade to v4.4.7.3+

Blaze Widget
Upgrade to v2.5.4+

Wrapper Link Element
Upgrade to v1.0.5+

Contact Form 7 Multi-Step Addon
Upgrade to v1.0.7+

Simply Show Hooks
Upgrade to v1.2.1 (remove 1.2.2!)

WP Server Health Stats
Upgrade to v1.7.8+

Ad Invalid Click Protector
Upgrade to v1.2.10+

PowerPress Podcasting plugin by Blubrry
Upgrade to v11.9.6+

Seo Optimized Images
Upgrade to v2.1.4+

Editor Comment
We’ve a recent article on our blog (see below) about the importance of strong passwords. This is reminder to never reuse passwords and to instead use tools like Password Managers to help you create strong, unique passwords for every service you use.

#2 – Vulnerable: Advanced Custom Field PRO Plugin

With 2+ million free installs, many likely use the Pro edition.

How will I know I’m okay?
Upgrade to v6.3.2+

What’s the risk?
Broken Access Control – unauthorised users can access sensitive data to perform higher-level actions.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#3 – Vulnerable: SEOPress Plugin

XSS with 300,000 installs.

How will I know I’m okay?
Upgrade to v7.8+

What’s the risk?
Severity risk 6.5/10 – XSS – allowing injection of malicious scripts into website that guests may execute.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#4 – Vulnerable: Contact Form 7 Plugin

Potentially 10+ million WP sites with Open Redirection vulnerability.

How will I know I’m okay?
Upgrade to v5.9.5+

What’s the risk?
An unverified redirect URL can send users to a malicious website, causing phishing attacks.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#5 – From our blog: Resolve Your Password Challenges

A strong password is your first line of defense. WP default password settings may not be enough.

More Info →

Thanks for reading, and have a great week!

Paul Goodchild
Shield Security for WordPress

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials

@xiiizen

Great and really simple security!

I must say this is one of the best security plugins I have ever used. In my own personal tests the plugin is rock solid and it doesn’t lock you out from your site or generate errors on updates. It also simplifies a lot the work I have to do…

@bosibbern

Working perfectly

UPDATE 11-18-2015: Had to deactivate it after the update because it slowed my blog to a crawl.. UPDATE 11-20-2015: Reinstalled it and amazingly my problems went away 🙂

@raiever

Fast, Trustworthy, Professional.

These guys are legit. Easy enough said. Any questions you may have, they answer. Any issues you may have, they will help fix. Their support team is fast to respond (Answered two of my tickets in less than 24hrs), and are extremely professional and polite. They will explain in simple…

@daviesda

Reliable and secure

I’m a little paranoid these days about the security of my WordPress sites after getting badly hacked a year ago. I look after several installations of WP and I now have WordPress Simple Firewall running on all of them. After a couple of months of use I’m totally confident in…

ESSENTIAL WORDPRESS SECURITY NEWS

Get ShieldNOTES, our excellent weekly WordPress security newsletter!

ShieldNOTES Ep#20: WP.org Supply Chain Attack; ACF & CF7 Vulnerabilities; Password Security

#1 – WordPress.org Supply Chain Attack

#2 – Vulnerable: Advanced Custom Field PRO Plugin

#3 – Vulnerable: SEOPress Plugin

#4 – Vulnerable: Contact Form 7 Plugin

#5 – From our blog: Resolve Your Password Challenges

Great and really simple security!

Working perfectly

Fast, Trustworthy, Professional.

Reliable and secure

Leave a Comment Cancel reply

Related Stories

ShieldNOTES Ep#21: New Supply Chain Attack; Elementor Addon & WP Google Map Vulnerabilities; Hacker Security Guide

ShieldNOTES Ep#19: Recurring Vulnerability + Severely Critical + Monitor WP Activity

ShieldNOTES Ep#29: Several Critical Vulnerabilities on Millions of Sites & Early Black Friday Webm

ESSENTIAL WORDPRESS SECURITY NEWS