Wordfence founder here – just wanted to get your eyes on this asap. 5 plugins in the repo have been taken over and malicious code injected. Someone posted about one on Friday and our team ran a scan on our internal threat intel platform and found 4 more plugins affected. We’ll be adding malware signatures shortly to detect the malicious code. We’re also continuing to research the underlying cause. We’ve notified the plugin team and they’ve disabled the plugins.
The plugins are:
* [Social Warfare](https://wordpress.org/plugins/social-warfare/) 4.4.6.4 – 4.4.7.1
* Patched Version: [4.4.7.3](http://4.4.7.3)
* [Blaze Widget](https://wordpress.org/plugins/blaze-widget/) 2.2.5 – 2.5.2
* Patched Version: None
* [Wrapper Link Element](https://wordpress.org/plugins/wrapper-link-elementor/) 1.0.2 – 1.0.3
* Patched Version: It appears that someone removed the malicious code, however, the latest version is tagged as 1.0.0 which is lower than the infected versions. This means it may be difficult to update to the latest version, so we recommend removing the plugin until a properly tagged version is released.
* [Contact Form 7 Multi-Step Addon](https://wordpress.org/plugins/contact-form-7-multi-step-addon/) 1.0.4 – 1.0.5
* Patched Version: None
* [Simply Show Hooks](https://wordpress.org/plugins/simply-show-hooks/) 1.2.1
* Patched Version None
This isn’t something we see often. In fact the last time we saw a supply chain attack like this was the Mason Soiza debacle back in 2017 when he bought several plugins and injected spam. Details on our blog…
[https://www.wordfence.com/blog/2024/06/supply-chain-attack-on-wordpress-org-plugins-leads-to-5-maliciously-compromised-wordpress-plugins/](https://www.wordfence.com/blog/2024/06/supply-chain-attack-on-wordpress-org-plugins-leads-to-5-maliciously-compromised-wordpress-plugins/) [ad_2]