Multiple WordPress plug-ins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts. The impacted plug-ins were hosted on WordPress.org.

Admin accounts created by the malicious code have the usernames “Options” and “PluginAuth”, with the account information exfiltrated to the IP address 94.156.79[.]8.

Website owners that notice accounts with these names or traffic to the attacker’s IP address should “immediately go into incident response mode,”