A recently discovered supply chain attack has reportedly left more than 300,000 WordPress sites at risk of attack.
Cybersecurity researchers from Jetpack (a security and optimization tool for WordPress) found that a malicious actor has compromised AccessPress, a developer of themes and add-ons for the website builder.
AccessPress has so far built 40 themes and 53 plugins. All of the free ones have been compromised, so that once installed, they allow the attackers full control over the website. The researchers did not test the commercial ones, and cannot confirm if they’ve been compromised as well. The report also states that the malicious code that grants attackers access, covers its tracks with relative success. The only way to discover if a site was compromised or not, is to use a core file integrity monitoring solution, it was said.
Selling the vulnerability online
So far, researchers have found, the backdoor was used to redirect visitors to malware-dropping and scam sites. Given the complexity of the initial compromise, and the lack of sophistication in the second stage, researchers are inclined to believe that the original malicious actors most likely sold the access to third parties on the dark web.
BleepingComputer says 360,000 websites are using AccessPress’ add-ons and themes. JetPack first discovered the threat in September 2021, while AccessPress pulled them from the store on October 15. After a few months of tackling the issue, the developers issued a new, clean version, of all the affected plugins on January 17.
However, if the site has already been compromised, simply installing the latest version will not remove the backdoor. It will just prevent future threats. So far, BleepingComputer says, the only way to clean up the site is to migrate to a different theme.
To learn if your site was compromised, WordPress users can follow the instructions found here.