A supply chain attack hits plugins, WordPress 6.5.5 and 6.6 RC 1 are released, plugin install limit tops 10M, and ACF launches its 2024 survey.
1. Supply chain attack on WordPress.org plugins
WP Team: We identified that some plugin authors were reusing passwords exposed in data breaches elsewhere. The compromised accounts were not the result of an exploit on WordPress.org. Instead, the attackers used recycled passwords to add malicious code to a few plugins on the WordPress.org Plugin Directory.
This means that some plugin authors used either weak passwords or the same passwords as for other accounts, and these passwords were leaked. Hackers used these weak passwords to brute-force the wp.org plugin author accounts.
Breakdown of the attack:
-
June 24th: WP Plugin Review Team notices threat
The WordPress.org Plugin Review Team was notified that a malicious actor had taken over one of the plugins. The Plugin Review Team disabled it and released a “clean” updated version.
-
June 24th: Wordfence Threat Intelligence finds more infected plugins
The Wordfence Threat Intelligence team conducted additional research based on the WP Plugin Review Team's message and found four more plugins infected with the same malicious code. The Wordfence team notified the WP Plugin Review Team.
In all the cases, the injected malware attempts to create a new administrative user account and then sends those details back to an attacker-controlled server. Additionally, it appears the threat actor injected malicious JavaScript into the footer of websites, adding SEO spam throughout the site.
-
June 28th: Attack escalation
Another bunch of four more plugins were infected, while three malicious updates were stopped by the team, including the Pods plugin with more than 100,000 active installations.
-
June 29th: The WordPress team takes Major preventive actions
On June 29th, plugin authors received a notification from the WP Plugins Team requiring a password reset for all plugin authors. Below you can find a full message.
Hello {username},
As a follow-up on the Andrew Wilder (NerdPress) and Chloe Chamberland (WordFence) reports that uncovered a limited number of compromised plugins, the Plugin Review team would like to provide more details about the case.
We identified that some plugin authors were reusing passwords exposed in data breaches elsewhere. The compromised accounts were not the result of an exploit on WordPress.org. Instead, the attackers used recycled passwords to add malicious code to a few plugins on the WordPress.org Plugin Directory.
First, out of an abundance of caution, additional plugin releases have been paused, and all new plugin commits temporarily need approval by the team. This way, we have the opportunity to confirm that the attackers cannot add malicious code to more plugins.
We have begun to force reset passwords for all plugin authors and some other users whose information was found by security researchers in data breaches. This will affect some users' ability to interact with WordPress.org or perform commits until their password is reset.
This action ensures that further infections are impossible, and no new infection reports have been made since. If you are an author of any plugin on WP.org, you should check your mailbox and follow the instructions for resetting your password. Additionally, it is recommended to enable 2FA authentication.
2. WordPress 6.5.5 Security Release and 6.6 RC 1 are available
WordPress 6.5.5, a security release, was made available on June 24th. It contains a series of security fixes, and it is recommended that you update your WordPress installation.
Meanwhile, the first release candidate (RC1) for WordPress 6.6 is also available, offering developers and enthusiasts a preview of the upcoming changes in the WordPress 6.6 release, which is scheduled for July 16th.
3. WordPress plugin directory raised the “Active Install” limit to 10+ Million
The WordPress Plugin Directory has increased the “Active Install” limit, allowing plugins hosted on WordPress.org to display active installation counts exceeding 10 million.
We've updated our most popular WP plugins by active installations article, so you can check which plugins have surpassed this milestone.
4. ACF launched its annual survey for 2024
One of the most popular meta field plugins, Advanced Custom Fields, has launched its second publicly available annual survey. The survey consists of around 30 questions, most of which are multiple-choice, and includes questions about:
- How you’re using ACF’s fields and features
- Your experiences with building WordPress sites
- What improvements or additions you’d like to see in ACF
You can participate in the survey, which is open until July 31.
By publishing the results publicly (and anonymously), ACF makes this survey useful not only for themselves but for the entire WordPress community.
The survey contains not only ACF-specific questions but also general WordPress questions, helping to understand developer preferences. You can find the results of the 2023 ACF annual survey here.
5. New to the web platform in June
This month, new features have landed in stable and beta web browsers during June 2024, including:
- JavaScript Set Methods: intersection, union, difference, symmetricDifference, isSubsetOf, isSupersetOf, isDisjointFrom.
- Async Clipboard API
- Color Interpolation in CSS Gradients
- Cross-Document view transitions
6. This WordPress month in numbers
In this ongoing section, we utilize WordPress.org plugin and theme APIs to feature newly published items from this month. It's an excellent opportunity to discover new tools and improve your workflow.
168 new plugins and 111 new themes.
(Note, the list is too long, see the original interactive element).
Thank you for reading! Subscribe to our monthly newsletter to stay updated on the latest WordPress news and useful tips.