Thousands Of Websites Secretly Infected In Major Plugin Attack
By 813 Staff
A closely watched product launch reveals Thousands Of Websites Secretly Infected In Major Plugin Attack, according to BleepingComputer (@BleepinComputer) (in the last 24 hours).
Source: https://x.com/BleepinComputer/status/2044514618035356072
A webmaster in Prague first noticed it as a flicker in his admin panel, a single line of obfuscated code where it didn’t belong. Within hours, that flicker became a wildfire. A popular suite of WordPress plugins, installed on over 15,000 sites, has been systematically compromised to inject malware, turning trusted website tools into a potent supply-chain attack. Internal documents from the cleanup effort show the breach’s origin: attackers gained administrative access to the plugin developer’s own systems, allowing them to push a malicious update directly from the source.
The suite, known as Flexible Custom Fields, Flexible Custom Post Types, and Flexible Custom Layouts, is a foundational toolkit for many site builders. According to the cybersecurity outlet BleepingComputer (@BleepinComputer), which first detailed the incident, the threat actors inserted a heavily obfuscated backdoor into version 4.4.0 of these plugins, released on April 14th. The code was designed to create a secret administrative user account on every affected WordPress installation, granting the attackers persistent, remote control. For any site owner who had automatic updates enabled—a standard security practice—the poison pill was delivered automatically.
The rollout has been anything but smooth for the besieged developer, Flexible Elements. Engineers close to the project say the team was forced to completely shut down their WordPress.org plugin repository access to stop the bleeding, a drastic and rare measure. A clean version, 4.4.1, was hastily issued, but the damage was done. The incident underscores a critical vulnerability in the open-source plugin ecosystem: the immense trust placed in a single developer’s account. A compromise at that level bypasses all conventional website defenses, turning a routine update into a catastrophic event.
What happens next is a grueling manual cleanup for thousands of site administrators. Simply updating to the clean plugin version does not remove the backdoor accounts already created; each site must be audited for unauthorized users and suspicious code. The wider consequence is a renewed chilling effect. This breach follows a similar high-profile compromise of the Popup Builder plugin last year, leading many enterprise clients to further question the security of WordPress’s extensible model. For now, the immediate focus is containment. The attackers’ ultimate goal remains unclear, but with a botnet of thousands of compromised websites at their fingertips, the potential for secondary attacks—from spam campaigns to data theft—is significant. The true scope of this incident will likely unfold over the coming weeks.
Source: https://x.com/BleepinComputer/status/2044514618035356072
