Thursday, May 19, 2022
HomeCyber SecurityHackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

In yet one more occasion of software program provide chain assault, dozens of WordPress themes and plugins hosted on a developer’s web site had been backdoored with malicious code within the first half of September 2021 with the aim of infecting additional websites.

The backdoor gave the attackers full administrative management over web sites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based firm that boasts of no fewer than 360,000 energetic web site installations.

“The contaminated extensions contained a dropper for an online shell that offers the attackers full entry to the contaminated websites,” safety researchers from JetPack, a WordPress plugin suite developer, stated in a report printed this week. “The identical extensions had been effective if downloaded or put in straight from the WordPress[.]org listing.”

Automatic GitHub Backups

The vulnerability has been assigned the identifier CVE-2021-24867. Web site safety platform Sucuri, in a separate evaluation, stated among the contaminated web sites discovered using this backdoor had spam payloads relationship again virtually three years, implying that the actors behind the operation had been promoting entry to the websites to operators of different spam campaigns.

Early this month, cybersecurity agency eSentire disclosed how compromised WordPress web sites belonging to reputable companies are used as a hotbed for malware supply, serving unsuspecting customers looking for postnuptial or mental property agreements on serps like Google with an implant referred to as GootLoader.

Website homeowners who’ve put in the plugins straight from AccessPress Themes’ web site are suggested to improve instantly to a protected model, or exchange it with the newest model from WordPress[.]org. Moreover, it necessitates {that a} clear model of WordPress is deployed to revert the modifications achieved in the course of the set up of the backdoor.

The findings additionally come as WordPress safety firm Wordfence disclosed particulars of a now-patched cross-site scripting (XSS) vulnerability impacting a plugin referred to as “WordPress Electronic mail Template Designer – WP HTML Mail” that is put in on over 20,000 web sites.

Tracked as CVE-2022-0218, the bug has been rated 8.3 on the CVSS vulnerability scoring system and has been addressed as a part of updates launched on January 13, 2022 (model 3.1).

Prevent Data Breaches

“This flaw made it attainable for an unauthenticated attacker to inject malicious JavaScript that may execute each time a web site administrator accessed the template editor,” Chloe Chamberland stated. “This vulnerability would additionally permit them to change the e-mail template to comprise arbitrary information that might be used to carry out a phishing assault towards anybody who acquired emails from the compromised web site.”

In line with statistics printed by Danger Primarily based Safety this month, a whopping 2,240 safety flaws had been found and reported in third-party WordPress plugins in the direction of the tip of 2021, up 142% from 2020, when almost 1,000 vulnerabilities had been disclosed. To this point, a complete of 10,359 WordPress plugin vulnerabilities have been uncovered.


Most Popular

Recent Comments