Full access through backdoor in WordPress extensions

While investigating a compromised website, analysts from IT security firm Jetpack came across backdoors that cybercriminals had built into AcessPress’s plugins and themes when they broke into its servers.

This could allow the attackers to gain full access to WordPress instances. Users of the provider’s themes or plugins should definitely check their WordPress for specific modifications and update the theme or switch to that of another provider.

In the course of further analysis, the security researchers found the suspicious code in all AccessPress themes and plugins – but only if they were downloaded from the provider’s website. The provider’s extensions stored in the WordPress.org repository, on the other hand, were clean.

The injected malicious code is a dropper for a web shell that allows attackers full access to WordPress. The burglary took place in September 2021; Manipulations of the themes and plug-ins took place on several days of the month. So anyone who has updated or installed the AccessPress extensions from their website since September 2021 has probably caught the backdoor.

In Jetpack’s security advisory, the researchers list numerous plug-ins and themes in tables that contained the malicious code. Since AccessPress also offers paid extensions, which JetPack has not verified, all extensions offered on the website are likely to be affected, not just those listed.

AccessPress initially removed the extensions from the site and gradually provided updated, cleaned-up plugins and themes. For the themes, the version number remained the same, but the release date after January 20, 2022 indicates the cleaned version. The themes have been removed from the WordPress repository, the updates are currently not available there.

If users of the AccessPress themes have not installed them from the WordPress repositories, they should update or remove the used theme and replace it with a theme from another provider. You should also install the updated plug-ins.

Furthermore, administrators should look for modifications in WordPress that Jetpack mentions under the details of the security message, in order to detect an installed backdoor, for example. To remove any changes made to the core WordPress files, Jetpack further recommends overinstalling a clean version of WordPress.

(dmk)

To home page