WordPress: Backdoors in AccessPress Themes and Plugins

[German]WordPress users beware, there are again massive vulnerabilities in WordPress plugins and themes due to a supply chain attack on the provider AccessPress. In dozens of plugins and themes of this provider hackers have built backdoors to hack the sites and possibly take over data. And there is a WordPress HTML mail plugin with a vulnerability. Here is a brief overview.


Supply chain attack on plugins and themes

This time it hit AccessPress, a developer of of WordPress add-ons used in over 360,000 active websites. Sites like Bleeping Computer and The Hacker News have addressed the case.

Backdoors in WordPress Themes/Plugins

The security incident was uncovered by Jetpack, Sucuri addressed it here. While investigating a compromised website, security researchers discovered suspicious code in a theme from AccessPress Themes (also known as Access Keys). AccessPress is a provider with a large number of popular themes and plugins.

AccessPress hacked

Upon further analysis, security researchers found that all of the provider's themes and most of its plugins contained this suspicious code. The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected websites. However, this only affected code downloaded from the vendor's website. The same extensions were fine if they were downloaded or installed directly from the WordPress.org directory.

Based on the way the extensions were compromised, security researchers suspected that an external attacker had infiltrated AccessPress Themes' website in order to use its extensions to infect more websites. Attempts to contact the vendor were unsuccessful. After the matter was forwarded to the WordPress.org plugin team, the suspicion was confirmed. AccessPress Themes' websites were attacked in the first half of September 2021, and the extensions available for download on their website were infected with a backdoor.


Affected people need to action

This website contains a list of WordPress themes and plugins infected with a backdoor. Those who have installed themes or plugins directly from AccessPress Themes or from another provider (but not from the WordPress.org site) should immediately update to a secure version (see the overview in the tables on this website). If no secure version is available, replace the theme/plugin with the latest version from WordPress.org.

Please note that this will not remove the backdoor from your system, so you will additionally need to reinstall a clean version of WordPress to undo the changes made to the core files during the backdoor installation. If you use a paid theme or plugin from AccessPress Themes/Access Keys, you should contact their support.

Vulnerable WP HTML Mail Plugin

There is a WordPress WP HTML Mail plugin, installed in over 20,000 sites, that has a high-severity flaw that can lead to code injection and the distribution of convincing phishing emails. The collegues at Bleeping Computer has covered that here.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *