Hackers have planted a secret backdoor in dozens of WordPress plugins and themes
In another case of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer’s website were hijacked with malicious code during the first half of September 2021 in an attempt to to infect other sites.
The backdoor gave attackers full administrative control over websites that were using 40 themes and 53 plugins owned by AccessPress Themes, a Nepal-based company with no less than 360,000 active website installs.
“The infected extensions contained a dropper for a web shell that gives attackers full access to infected sites,” security researchers at JetPack, a WordPress plugin suite developer, said in a report released this week. “The same extensions were fine if downloaded or installed directly from WordPress[.]org directory.”
The vulnerability has been assigned the identifier CVE-2021-24867. Website security platform Sucuri, in a separate analysis, said some of the infected websites found using this backdoor had spam payloads dating back nearly three years, implying that the actors behind the backdoor operation sold access to the sites to operators of other spam campaigns.
Earlier this month, cybersecurity firm eSentire revealed how compromised WordPress websites belonging to legitimate companies are being used as a hotbed for spreading malware, serving unsuspecting users looking for postnuptial agreements or intellectual property. on search engines like Google with an implant called GootLoader.
Site owners who installed the plugins directly from the AccessPress Themes website are advised to immediately upgrade to a secure version or replace it with the latest version of WordPress.[.]org. Additionally, it requires a clean version of WordPress to be deployed to undo the changes made when installing the backdoor.
The findings also come as WordPress security firm Wordfence disclosed details of a now patched cross-site scripting (XSS) vulnerability affecting a plugin called “WordPress Email Template Designer – WP HTML Mail” which is installed on over 20,000 emails. Web sites.
Tracked as CVE-2022-0218, the bug was rated 8.3 on the CVSS Vulnerability Rating System and was fixed as part of updates released on January 13, 2022 (version 3.1).
According to statistics published by Risk Based Security this month, as many as 2,240 security flaws were discovered and reported in third-party WordPress plugins by the end of 2021, up 142% from 2020, when nearly 1,000 vulnerabilities were disclosed. To date, a total of 10,359 WordPress plugin vulnerabilities have been discovered.