Malicious PHP Scripts Injected into Compromised WordPress Plugins
CVE-2024-6297

10CRITICAL

Key Information:

Vendor: Wordpress
Status: Social Sharing Plugin – Social Warfare; Contact Form 7 Multi-step Addon; Simply Show Hooks; Wrapper Link Elementor
Vendor: CVE Published:; 25 June 2024

Summary

A significant vulnerability has emerged involving several WordPress plugins that have been compromised through malicious code injection. This vulnerability has permitted threat actors to alter the source code of multiple plugins, embedding harmful PHP scripts designed to exfiltrate sensitive database credentials. Furthermore, the compromised plugins are enabling the creation of unauthorized administrator users, thereby escalating the potential for data breaches and further exploitation. Currently, many affected plugins have not been remediated, and it is strongly advised to uninstall these plugins and conduct thorough malware scans to ensure the integrity of websites.

Affected Version(s)

BLAZE Retail Widget 2.2.5 <= 2.5.2

Contact Form 7 Multi-Step Addon 1.0.4 <= 1.0.5

Simply Show Hooks 1.2.1 <= 1.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/support/topic/a-security-message-fr...

https://plugins.trac.wordpress.org/browser/social-warfare...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jun 25, 2024
Vulnerability Reserved
Jun 25, 2024