Multiple WordPress plugins have been compromised to inject malicious code that enables attackers to create unauthorized administrator accounts. The injected malware attempts to establish new admin user accounts and sends the details to a server controlled by the attackers. Furthermore, malicious JavaScript has been inserted into websites to spread SEO spam. The rogue admin accounts, known as "Options" and "PluginAuth," transmit their information to the IP address 94.156.79[.]8. The method used to compromise the plugins is unclear, but the attack campaign has been ongoing since June 21, 2024. The affected plugins have been removed from the WordPress directory for review. Users are advised to check for any suspicious administrator accounts and delete them, as well as remove any malicious code from their websites.