Audit #21 Cleaned
Show full summary
Confirmed malicious supply-chain compromise — stuartobrien SVN account compromised after 8-year dormancy. The plugin had been completely silent since 2016-10-27 (r1522935). On 2024-06-21 23:55 UTC the dormant account was used for 3 commits (r3105889, r3105890, r3105891) all messaged Upgrade, injecting an older variant of the June 2024 payload into index.php. The wp.org Plugin Review Team (frantorres) reverted at r3106767 on 2024-06-24 11:44 UTC and closed the plugin the same day with reason security-issue. Distinctive payload differences from blaze-widget / cf7-multi-step-addon / wrapper-link-elementor: (1) uses the older Options admin username instead of PluginAUTH — matching the early social-warfare 4.4.6.4 iteration from April 2024; (2) no JS-side keylogger — only the PHP admin-creation backdoor is present; (3) function zbvalidate_file() is absent. This makes simply-show-hooks the OLDEST payload variant in the June 2024 wave and confirms the operator was iterating the malware between deployments. The 8-year-dormant account compromise also strongly suggests the credential was either reused from a leaked database dump or never rotated — a pattern the operator likely targeted deliberately.
The plugin has been remediated. This audit is retained as a public record of the incident and the IOCs.
If you run simply-show-hooks on your site
Verify your install matches the wp.org canonical version:
wp plugin verify-checksums simply-show-hooksA patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.
Or remove the plugin entirely:
wp plugin deactivate simply-show-hooks
wp plugin delete simply-show-hooksPlugins under the same committer's SVN access
stuartobrien holds push access to 2 plugins totalling — active installs. Each non-target plugin scans clean today but represents a one-commit hijack opportunity.