Cyber Security Application Security WordPress plugins and themes used to inject backdoors

WordPress plugins and themes used to inject backdoors

-

A massive attack on the supply chain affected 93 WordPress themes and plugins that were embedded with backdoors that gave attackers full access to sites.

JetPack experts reported that the attack began back in September 2021: 40 WordPress themes and 53 plugins hosted on the developer’s website (AccessPress Themes, a Nepalese company) were infected with malware. It is emphasized that backdoors were introduced into the code after the themes and plugins were released by the developer.

“The infected extensions contained a web shell dropper that gave attackers full access to the infected sites,” the researchers wrote. “The same extensions were safe if downloaded and installed directly from the WordPress.org directory.”

Affected themes

If you have any of the themes below installed on your site, we recommend migrating to another theme as soon as you’re able to. AccessPress Themes has not yet provided any updates for any of these, and they have been pulled from the WordPress.org repository.

Theme slugVersion
accessbuddy1.0.0
accesspress-basic3.2.1
accesspress-lite2.92
accesspress-mag2.6.5
accesspress-parallax4.5
accesspress-ray1.19.5
accesspress-root2.5
accesspress-staple1.9.1
accesspress-store2.4.9
agency-lite1.1.6
aplite1.0.6
bingle1.0.4
bloger1.2.6
construction-lite1.2.5
doko1.0.27
enlighten1.3.5
fashstore1.2.1
fotography2.4.0
gaga-corp1.0.8
gaga-lite1.4.2
one-paze2.2.8
parallax-blog3.1.1574941215
parallaxsome1.3.6
punte1.1.2
revolve1.3.1
ripple1.2.0
scrollme2.1.0
sportsmag1.2.1
storevilla1.4.1
swing-lite1.1.9
the-launcher1.3.2
the-monday1.4.1
uncode-lite1.3.1
unicon-lite1.2.6
vmag1.2.7
vmagazine-lite1.3.5
vmagazine-news1.0.5
zigcy-baby1.0.6
zigcy-cosmetics1.0.5
zigcy-lite2.0.9

Table 1: Themes and versions compromised by the attack.

Affected plugins

If you have any of the following plugins with a version number in the Bad column installed on your site, we do recommend to upgrade to the version in the Clean column immediately. It’s worth noting that the plugins installed through WordPress.org are clean, even if they are listed in the Bad column. We still recommend upgrading to the known clean version to be on the safe side.

Plugins with no version number in the Clean column have not yet been upgraded, and we recommend replacing it with other plugins if at all possible.

Plugin slugBadCleanNote
accesspress-anonymous-post2.8.02.8.11
accesspress-custom-css2.0.12.0.2
accesspress-custom-post-type1.0.81.0.9
accesspress-facebook-auto-post2.1.32.1.4
accesspress-instagram-feed4.0.34.0.4
accesspress-pinterest3.3.33.3.4
accesspress-social-counter1.9.11.9.2
accesspress-social-icons1.8.21.8.3
accesspress-social-login-lite3.4.73.4.8
accesspress-social-share4.5.54.5.6
accesspress-twitter-auto-post1.4.51.4.6
accesspress-twitter-feed1.6.71.6.8
ak-menu-icons-lite1.0.9
ap-companion1.0.72
ap-contact-form1.0.61.0.7
ap-custom-testimonial1.4.61.4.7
ap-mega-menu3.0.53.0.6
ap-pricing-tables-lite1.1.21.1.3
apex-notification-bar-lite2.0.42.0.5
cf7-store-to-db-lite1.0.91.1.0
comments-disable-accesspress1.0.71.0.8
easy-side-tab-cta1.0.71.0.8
everest-admin-theme-lite1.0.71.0.8
everest-coming-soon-lite1.1.01.1.1
everest-comment-rating-lite2.0.42.0.5
everest-counter-lite2.0.72.0.8
everest-faq-manager-lite1.0.81.0.9
everest-gallery-lite1.0.81.0.9
everest-google-places-reviews-lite1.0.92.0.0
everest-review-lite1.0.7
everest-tab-lite2.0.32.0.4
everest-timeline-lite1.1.11.1.2
inline-call-to-action-builder-lite1.1.01.1.1
product-slider-for-woocommerce-lite1.1.51.1.6
smart-logo-showcase-lite1.1.71.1.8
smart-scroll-posts2.0.82.0.9
smart-scroll-to-top-lite1.0.31.0.4
total-gdpr-compliance-lite1.0.4
total-team-lite1.1.11.1.2
ultimate-author-box-lite1.1.21.1.3
ultimate-form-builder-lite1.5.01.5.1
woo-badge-designer-lite1.1.01.1.1
wp-1-slider1.2.91.3.0
wp-blog-manager-lite1.1.01.1.2
wp-comment-designer-lite2.0.32.0.4
wp-cookie-user-info1.0.71.0.8
wp-facebook-review-showcase-lite1.0.9
wp-fb-messenger-button-lite2.0.7
wp-floating-menu1.4.41.4.5
wp-media-manager-lite1.1.21.1.3
wp-popup-banners1.2.31.2.4
wp-popup-lite1.0.8
wp-product-gallery-lite1.1.1

Table 2: Plugins, versions compromised by the attack as well as known clean versions,

Notes:

  1. This plugin has not been updated, but is believed to be clean as the version on the AccessPress Themes website was an older version.
  2. This plugin has not been updated, but is believed to be clean as it was not originally available on the AccessPress Themes website.

According to JetPack, the corrupted software contained the itial.php script, which was added to the main directory and then included in the main functions.php file. Initial.php acted as a dropper and used base64 to mask the code. It downloaded the payload from wp-theme-connect[.]com and used it to install the backdoor as wp-includes/vars.php. After installation, the dropper self-destructed, trying to hide the traces of the attack.

Sucuri experts, who also studied the incident, report that although the attack on AccessPress lasted for several months, some of the sites infected with the backdoor contained almost three years old spam. That is, attackers have long been selling access to hacked sites to other criminal groups.

According to experts, the attackers used their backdoors to simply redirect visitors to infected sites to fraudulent resources and resources with malware. That is, this campaign was not too sophisticated.

On January 17, 2022, AccessPress developers introduced new, “clean” versions of all their products.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Critical Infrastructure Warning! Millions of PLCs, switches, IoT devices are under threat

Eleven vulnerabilities, combined under the name Urgent / 11,...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you