The malicious PHP scripts in the compromised WordPress plugins created new accounts with administrative privileges on websites running them and injected malicious JavaScript into the footer of websites, spreading SEO spam throughout4. The attack affected at least five plugins and over 35,000 websites.
The malicious injections in the WordPress plugins were first detected by the Wordfence Threat Intelligence team on June 24, 2024. The attack involved modifying the source code of at least five plugins hosted on WordPress.org to include malicious PHP scripts that create new accounts with administrative privileges on websites running them.
The plugin that still lacks a fix for the backdoor issue is Simply Show Hooks, versions 1.2.1 to 1.2.2. No fix is available yet for this plugin.