WP Beacon

← All audits

Audit #14 Cleaned

Social Sharing Plugin – Social Warfare · 20k+ installs · baseline 4.4.6.3 → head 4.4.7.1 · by beacon-scan-skill · closed 5d ago

Show full summary

Confirmed malicious supply-chain compromise. Between 2024-04-05 and 2024-06-22 the WarfarePlugins wp.org committer account was used to push six tagged releases (4.4.6.4, 4.4.6.5, 4.4.6.6, 4.4.6.8, 4.4.6.9, 4.4.7.1) containing two distinct backdoors. The wp.org Plugin Review Team detected the compromise on or before 2024-06-24, deleted all six malicious tags from public SVN (only baselines 4.4.6.3 and 4.4.7.2 remain in tags/ today), forced the cleanup release 4.4.7.2, and published an advisory on the plugin's support forum. The plugin returned to legitimate maintainer control; current trunk (v4.5.6 as of 2025-03-18) is clean.

This audit is retrospective — the compromise has been remediated for ~22 months. Purpose: extract IOCs into the catalog so any historical or future re-emergence on other plugins is detected automatically.

Two backdoor mechanisms in social-warfare.php:

1. PHP-side persistence (my_admin_init_function) — runs on admin_init, gated by a my_admin_init_function_run option flag so it only fires once per site. Reads wp-config.php to extract DB credentials + table prefix, opens a direct mysqli connection bypassing WordPress, and inserts a backdoor admin user. Username string evolved across iterations: Options (4.4.6.4) → PluginAUTH (4.4.7.1). Phones home to attacker C2 with admin URL + created username.

2. JS-side keylogger (add_footer_script) — attached to wp_footer, emits a <script> that:

  • Loads https://94.156.79.8/sc-top.js (raw IP, no DNS)
  • Generates a 10-char random UID, persists in cookie xcnmo-offsetgxc; path=/
  • Listens to all input events, sending (uid, field-name, base64(value)) to https://hostpdf.co/pinche.php on every keystroke into a non-button input
  • Captures admin credentials (wp-admin login forms), customer payment details (WooCommerce checkout), anything typed into a form field on any page of the compromised site

Multi-CMS recon component. The PHP backdoor goes beyond WordPress — it walks the parent filesystem looking for $config['encryption_key'] (PrestaShop), prestashop, drupal, Symfony\Component markers and reports each found install to https://94.156.79.8/CMSUsers. Indicates the operator targets shared/multi-app hosting environments and treats any compromise as a beachhead for fleet-wide enumeration.

Operator OPSEC indicators. The malicious commit also added:

  • assets/images/admin-options-page/Thumbs.db — Windows Explorer thumbnail cache file (committed by accident)
  • CRLF line endings on assets/js/admin.js and lib/options/SWP_Option_Abstract.php (otherwise byte-identical to baseline) — the attacker re-saved these files in a Windows editor while making their changes

The Thumbs.db artifact + CRLF re-saves are inadvertent indicators that the attacker edited the trunk on a Windows workstation. Not actionable as detection on their own but worth catalogued as a corroborating signal class.

Cleanup published — updates flowing through wp.org again

The plugin has been remediated. This audit is retained as a public record of the incident and the IOCs.

If you run social-warfare on your site

Verify your install matches the wp.org canonical version:

wp plugin verify-checksums social-warfare

A patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.

Or remove the plugin entirely:

wp plugin deactivate social-warfare
wp plugin delete social-warfare

If you're the plugin author

Cleanup steps to clear this label have not yet been documented for this audit. Contact the investigator listed above.

✓ Cleanup confirmed and audit closed.

Plugins under the same committer's SVN access

warfareplugins holds push access to 1 plugin totalling 20k+ active installs.

Social Sharing Plugin – Social Warfare — patched / closed audit
20k+

IOCs extracted (17)

Kind Value Confidence
changelog_phrase 2024.06.22 MASTER medium
code_pattern $username = 'Options' medium
code_pattern add_footer_script medium
code_pattern my_admin_init_function high
code_pattern my_admin_init_function_run high
code_pattern PluginAUTH high
code_pattern xcnmo-offsetgxc high
domain hostpdf.co high
filename assets/images/admin-options-page/Thumbs.db medium
filename lib/utilities/.idea medium
ip 94.156.79.8 high
url https://94.156.79.8/sc-top.js high
url https://hostpdf.co/pinche.php high
url_path /AddSites high
url_path /CMSUsers high
url_path /pinche.php high
url_path /sc-top.js medium

Plugin version history

Every release on wp.org for this plugin, color-coded by relationship to the incident. The compromise window shows where the wp.org Plugin Review Team deleted the malicious tags from SVN — those versions cannot be re-downloaded today.

  1. Clean 60 earlier releases before the incident
    • 1.4.8
    • 2.0.4
    • 2.2.2
    • 2.2.3
    • 2.2.4
    • 2.2.5
    • 2.2.6
    • 2.2.7
    • 2.2.8
    • 2.2.9
    • 2.2.10
    • 2.2.11
    • 2.3.0
    • 2.3.1
    • 2.3.2
    • 2.3.3
    • 2.3.5
    • 3.0.0
    • 3.0.1
    • 2.3.4
    • 3.0.5
    • 3.0.6
    • 3.0.8
    • 3.0.9
    • 3.1.0
    • 3.1.1
    • 3.2.0
    • 3.2.1
    • 3.2.2
    • 3.3.0
    • 3.3.1
    • 3.3.2
    • 3.3.3
    • 3.4.0
    • 3.4.1
    • 3.4.2
    • 3.5.0
    • 3.5.1
    • 3.5.2
    • 3.5.3
    • 3.5.4
    • 3.6.0
    • 3.6.1
    • 4.0.0
    • 4.0.1
    • 4.0.2
    • 4.1.0
    • 4.2.0
    • 4.2.1
    • 4.3.0
    • 4.4.0
    • 4.4.1
    • 4.4.2
    • 4.4.3
    • 4.4.4
    • 4.4.5
    • 4.4.5.1
    • 4.4.6
    • 4.4.6.1
    • 4.4.6.2
  2. 4.4.6.3 Last clean Last clean release before incident
  3. 🛑 Compromise window 77 days · 2024-04-07 → 2024-06-23

    6 tags deleted from SVN by the wp.org Plugin Review Team: 4.4.6.4 4.4.6.5 4.4.6.6 4.4.6.8 4.4.6.9 4.4.7.1

  4. 4.4.7.2 PRT cleanup PRT cleanup release — incident closed
  5. 4.4.7.3 Clean Clean (post-cleanup)
  6. 4.4.8 Clean Clean (post-cleanup)
  7. 4.5.0 Clean Clean (post-cleanup)
  8. 4.5.1 Clean Clean (post-cleanup)
  9. 4.5.2 Clean Clean (post-cleanup)
  10. 4.5.3 Clean Clean (post-cleanup)
  11. 4.5.4 Clean Clean (post-cleanup)
  12. 4.5.5 Clean Clean (post-cleanup)
  13. 4.5.6 Current Current release

Audit #14 — social-warfare

  • Plugin: social-warfare (Social Sharing Plugin – Social Warfare)
  • Active installs: 20,000 (was 50,000+ pre-incident, 80,000+ at all-time peak)
  • Event: #1355 prt_forum_advisory · high · 2026-04-27
  • Source incident: PRT advisory thread 2024-06-24, "A Security Message from the Plugin Review Team"
  • Baseline version: 4.4.6.3 (last clean — released 2024-04-04)
  • Compromise window head: 4.4.7.1 (last malicious — released 2024-06-22)
  • First clean cleanup: 4.4.7.2 (released 2024-06-24, same day as PRT advisory)
  • Working dir: /tmp/wpbeacon-audits/audit-14

Summary

Confirmed malicious supply-chain compromise. Between 2024-04-05 and 2024-06-22 the WarfarePlugins wp.org committer account was used to push six tagged releases (4.4.6.4, 4.4.6.5, 4.4.6.6, 4.4.6.8, 4.4.6.9, 4.4.7.1) containing two distinct backdoors. The wp.org Plugin Review Team detected the compromise on or before 2024-06-24, deleted all six malicious tags from public SVN (only baselines 4.4.6.3 and 4.4.7.2 remain in tags/ today), forced the cleanup release 4.4.7.2, and published an advisory on the plugin's support forum. The plugin returned to legitimate maintainer control; current trunk (v4.5.6 as of 2025-03-18) is clean.

This audit is retrospective — the compromise has been remediated for ~22 months. Purpose: extract IOCs into the catalog so any historical or future re-emergence on other plugins is detected automatically.

Two backdoor mechanisms in social-warfare.php:

1. PHP-side persistence (my_admin_init_function) — runs on admin_init, gated by a my_admin_init_function_run option flag so it only fires once per site. Reads wp-config.php to extract DB credentials + table prefix, opens a direct mysqli connection bypassing WordPress, and inserts a backdoor admin user. Username string evolved across iterations: Options (4.4.6.4) → PluginAUTH (4.4.7.1). Phones home to attacker C2 with admin URL + created username.

2. JS-side keylogger (add_footer_script) — attached to wp_footer, emits a <script> that:

  • Loads https://94.156.79.8/sc-top.js (raw IP, no DNS)
  • Generates a 10-char random UID, persists in cookie xcnmo-offsetgxc; path=/
  • Listens to all input events, sending (uid, field-name, base64(value)) to https://hostpdf.co/pinche.php on every keystroke into a non-button input
  • Captures admin credentials (wp-admin login forms), customer payment details (WooCommerce checkout), anything typed into a form field on any page of the compromised site

Multi-CMS recon component. The PHP backdoor goes beyond WordPress — it walks the parent filesystem looking for $config['encryption_key'] (PrestaShop), prestashop, drupal, Symfony\Component markers and reports each found install to https://94.156.79.8/CMSUsers. Indicates the operator targets shared/multi-app hosting environments and treats any compromise as a beachhead for fleet-wide enumeration.

Operator OPSEC indicators. The malicious commit also added:

  • assets/images/admin-options-page/Thumbs.db — Windows Explorer thumbnail cache file (committed by accident)
  • CRLF line endings on assets/js/admin.js and lib/options/SWP_Option_Abstract.php (otherwise byte-identical to baseline) — the attacker re-saved these files in a Windows editor while making their changes

The Thumbs.db artifact + CRLF re-saves are inadvertent indicators that the attacker edited the trunk on a Windows workstation. Not actionable as detection on their own but worth catalogued as a corroborating signal class.

Exposure

At the time of compromise the plugin had ~80,000+ active installs. ~20,000 today suggests significant churn after the incident. Every site that auto-updated during the 2024-04-05 → 2024-06-22 window:

  • Has (or had) backdoor admin user Options or PluginAUTH in wp_users
  • Has (or had) my_admin_init_function_run = yes in wp_options
  • Was registered with the operator's C2 at 94.156.79.8/AddSites
  • Had the JS keylogger active on every page until updated to 4.4.7.2+

Verdict

malicious

Added files (3)

  • SECURITY.md — added by legitimate maintainer in the cleanup release
  • assets/images/admin-options-page/Thumbs.db — attacker dev-environment artifact
  • lib/utilities/.idea — JetBrains project metadata, also attacker dev-environment artifact

IOCs to extract

  • kind: ip, value: 94.156.79.8, confidence: high
  • kind: domain, value: hostpdf.co, confidence: high
  • kind: url, value: https://94.156.79.8/sc-top.js, confidence: high
  • kind: url, value: https://94.156.79.8/AddSites, confidence: high
  • kind: url, value: https://94.156.79.8/FCS, confidence: high
  • kind: url, value: https://94.156.79.8/CMSUsers, confidence: high
  • kind: url, value: https://hostpdf.co/pinche.php, confidence: high
  • kind: url_path, value: /sc-top.js, confidence: medium
  • kind: url_path, value: /AddSites, confidence: high
  • kind: url_path, value: /CMSUsers, confidence: high
  • kind: url_path, value: /pinche.php, confidence: high
  • kind: code_pattern, value: xcnmo-offsetgxc, confidence: high
  • kind: code_pattern, value: my_admin_init_function, confidence: high
  • kind: code_pattern, value: my_admin_init_function_run, confidence: high
  • kind: code_pattern, value: PluginAUTH, confidence: high
  • kind: code_pattern, value: $username = 'Options', confidence: medium
  • kind: code_pattern, value: add_footer_script, confidence: medium
  • kind: filename, value: assets/images/admin-options-page/Thumbs.db, confidence: medium
  • kind: filename, value: lib/utilities/.idea, confidence: medium
  • kind: changelog_phrase, value: 2024.04.05 MASTER, confidence: medium
  • kind: changelog_phrase, value: 2024.06.22 MASTER, confidence: medium

Notes

  • All malicious code paths were committed under the legitimate WarfarePlugins SVN account — i.e., the wp.org credentials for the official maintainer were compromised, NOT a takeover-by-acquisition. This places the incident in the same class as the broader June 2024 wp.org credential-stuffing wave (forminator, wpcode-lite, social-warfare, blogvault, others). The compromised_committer_burst rule is the structural detector for this class.
  • The two iterations of the payload (2024-04-05 vs 2024-06-22 SWP_DEV_VERSION strings, Options→PluginAUTH username swap, refactored echo→silent error handling) suggest the operator iterated the backdoor based on observation of which sites were getting cleaned up. This is sustained presence, not a smash-and-grab.
  • The same C2 infrastructure (94.156.79.8) was reportedly used in attacks on other plugins during the same wave. Cross-checking other 2024 PRT advisories against this IP could surface additional plugins that haven't been publicly attributed yet.

Everything in this audit is reproducible from the links cited above: SVN log, RDAP records, GitHub repositories, wp.org forum threads, and any live endpoints. Full WP Beacon scan logs and any associated zip artifacts are available on request from the investigator.