Several WordPress.org Plugins <= Various Versions - Injected Backdoor

Embedded Malicious Code
CVE CVE-2024-6297
CVSS Critical (10)
Publicly Published June 24, 2024
Last Updated October 8, 2024
Description

Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. All plugins have received updates reverting any added malicious code. Simply Show Hooks affected version (1.2.1) is the same as the patched version (1.2.1) - it does not appear that the malicious copy was ever officially released, so sites running 1.2.1 should be unaffected, though it is a good idea to run a complete Wordfence scan and verify that there are no rogue administrator accounts present.

References

13 affected software package

Software Type Plugin
Software Slug twenty20 (view on wordpress.org)
Patched? Yes
Affected Version
  • 1.5.4 - 1.5.4
  • 1.6.2 - 1.6.2
  • 1.6.3 - 1.6.3
Patched Version
  • 1.6.4
Software Type Plugin
Software Slug seo-optimized-images (view on wordpress.org)
Patched? Yes
Affected Version
  • 2.1.2 - 2.1.2
Patched Version
  • 2.1.4
Software Type Plugin
Software Slug powerpress (view on wordpress.org)
Patched? Yes
Affected Version
  • 11.9.3 - 11.9.4
Patched Version
  • 11.9.6
Software Type Plugin
Software Slug wpcom-member (view on wordpress.org)
Patched? Yes
Affected Version
  • 1.3.15 - 1.3.15
  • 1.3.16 - 1.3.16
Patched Version
  • 1.3.14
Software Type Plugin
Software Slug social-warfare (view on wordpress.org)
Patched? Yes
Affected Version
  • 4.4.6.4 - 4.4.7.1
Patched Version
  • 4.4.7.3
Software Type Plugin
Software Slug contact-form-7-multi-step-addon (view on wordpress.org)
Patched? Yes
Affected Version
  • 1.0.4 - 1.0.5
Patched Version
  • 1.0.7
Software Type Plugin
Software Slug simply-show-hooks (view on wordpress.org)
Patched? Yes
Affected Version
  • 1.2.1 - 1.2.2
Patched Version
  • 1.2.1
Software Type Plugin
Software Slug britetechs-companion (view on wordpress.org)
Patched? Yes
Affected Version
  • 2.2.7 - 2.2.7
Patched Version
  • 2.2.8
Software Type Plugin
Software Slug wrapper-link-elementor (view on wordpress.org)
Patched? Yes
Affected Version
  • 1.0.2 - 1.0.3
Patched Version
  • 1.0.5
Software Type Plugin
Software Slug ad-invalid-click-protector (view on wordpress.org)
Patched? Yes
Affected Version
  • 1.2.9 - 1.2.9
Patched Version
  • 1.2.11
Software Type Plugin
Software Slug blaze-widget (view on wordpress.org)
Patched? Yes
Affected Version
  • 2.2.5 - 2.5.2
Patched Version
  • 2.5.4
Software Type Plugin
Software Slug pods (view on wordpress.org)
Patched? Yes
Affected Version
  • 3.2.3 - 3.2.3
Patched Version
  • 3.2.4
Software Type Plugin
Software Slug wp-server-stats (view on wordpress.org)
Patched? Yes
Affected Version
  • 1.7.6 - 1.7.6
Patched Version
  • 1.7.8
This record contains material that is subject to copyright

Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. License Detail.