A massive attack on the supply chain affected 93 WordPress themes and plugins that were embedded with backdoors that gave attackers full access to sites.
JetPack experts reported that the attack began back in September 2021: 40 WordPress themes and 53 plugins hosted on the developer’s website (AccessPress Themes, a Nepalese company) were infected with malware. It is emphasized that backdoors were introduced into the code after the themes and plugins were released by the developer.
“The infected extensions contained a web shell dropper that gave attackers full access to the infected sites,” the researchers wrote. “The same extensions were safe if downloaded and installed directly from the WordPress.org directory.”
If you have any of the themes below installed on your site, we recommend migrating to another theme as soon as you’re able to. AccessPress Themes has not yet provided any updates for any of these, and they have been pulled from the WordPress.org repository.
Table 1: Themes and versions compromised by the attack.
If you have any of the following plugins with a version number in the Bad column installed on your site, we do recommend to upgrade to the version in the Clean column immediately. It’s worth noting that the plugins installed through WordPress.org are clean, even if they are listed in the Bad column. We still recommend upgrading to the known clean version to be on the safe side.
Plugins with no version number in the Clean column have not yet been upgraded, and we recommend replacing it with other plugins if at all possible.
Table 2: Plugins, versions compromised by the attack as well as known clean versions,
- This plugin has not been updated, but is believed to be clean as the version on the AccessPress Themes website was an older version.
- This plugin has not been updated, but is believed to be clean as it was not originally available on the AccessPress Themes website.
According to JetPack, the corrupted software contained the itial.php script, which was added to the main directory and then included in the main functions.php file. Initial.php acted as a dropper and used base64 to mask the code. It downloaded the payload from wp-theme-connect[.]com and used it to install the backdoor as wp-includes/vars.php. After installation, the dropper self-destructed, trying to hide the traces of the attack.
Sucuri experts, who also studied the incident, report that although the attack on AccessPress lasted for several months, some of the sites infected with the backdoor contained almost three years old spam. That is, attackers have long been selling access to hacked sites to other criminal groups.
According to experts, the attackers used their backdoors to simply redirect visitors to infected sites to fraudulent resources and resources with malware. That is, this campaign was not too sophisticated.
On January 17, 2022, AccessPress developers introduced new, “clean” versions of all their products.