CVE-2024-6297

Vulnerability

A supply-chain compromise affected several WordPress plugins hosted on WordPress.org. Malicious PHP scripts were injected into the source code of these plugins, including the "Wrapper Link Elementor" plugin. The injected code exfiltrates database credentials and creates new administrator users with a specific email pattern (e.g., @example.com). The exact list of affected plugins and versions is not fully disclosed, but the compromise impacts any version containing the malicious code prior to its removal.

Exploitation

The attacker gained unauthorized access to the plugin source code repositories and injected the malicious scripts. Once a compromised plugin is installed and activated on a WordPress site, the malicious code executes automatically without requiring additional authentication or user interaction. The code sends database credentials to an external server and creates a new administrator user account with a known email pattern, as seen in the response script that invalidates such users [1].

Impact

Successful exploitation results in full site compromise. The attacker obtains database credentials, enabling direct database access, and creates a persistent backdoor via a new administrator user. This can lead to data theft, site defacement, malware distribution, and further attacks on the server infrastructure.

Mitigation

As of the publication date (2024-06-25), not all affected plugins have been patched. The recommended mitigation is to uninstall any suspected compromised plugins and run a complete malware scan. For the "Wrapper Link Elementor" plugin, a response script has been added to invalidate the malicious admin user and display an admin notice [1]. However, uninstalling and scanning remains the safest course of action until all plugins are patched.