In another case of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer’s website were hijacked with malicious code during the first half of September 2021 in an attempt to to infect other sites.
The backdoor gave attackers full administrative control over websites that were using 40 themes and 53 plugins owned by AccessPress Themes, a Nepal-based company with no less than 360,000 active website installs.
“The infected extensions contained a dropper for a web shell that gives attackers full access to infected sites,” security researchers from JetPack, a WordPress plugin suite developer, said in a statement. report released this week. “The same extensions were fine if downloaded or installed directly from WordPress[.]org directory.”
The vulnerability has been given the identifier CVE-2021-24867. The Sucuri website security platform, in a separate analysis, noted some of the infected websites found using this backdoor had spam payloads dating back nearly three years, implying that the actors behind the operation were selling access to the sites to operators of other spam campaigns.
Earlier this month, cybersecurity firm eSentire revealed how compromised WordPress websites belonging to legitimate companies are being used as a hotbed for spreading malware, serving unsuspecting users looking for postnuptial agreements or intellectual property. on search engines like Google with an implant called GootLoader.
Site owners who installed the plugins directly from the AccessPress Themes website are advised to immediately upgrade to a secure version or replace it with the latest version of WordPress.[.]org. Additionally, it requires a clean version of WordPress to be deployed to undo the changes made when installing the backdoor.
The findings also come as WordPress security firm Wordfence disclosed details of a now patched cross-site scripting (XSS) vulnerability affecting a plugin called “WordPress Email Template Designer – WP HTML Messagingwhich is installed on over 20,000 websites.
Tracked as CVE-2022-0218, the bug was rated 8.3 on the CVSS Vulnerability Rating System and was fixed as part of updates released on January 13, 2022 (version 3.1).
“This flaw allowed an unauthenticated attacker to inject malicious JavaScript that would run whenever a site administrator accessed the template editor,” Chloe Chamberland noted. “This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.”
According to statistics published by Risk Based Security this month, 2,240 security vulnerabilities were discovered and reported in third-party WordPress plugins by the end of 2021, up 142% from 2020, when nearly 1,000 vulnerabilities were disclosed . To date, a total of 10,359 WordPress plugin vulnerabilities have been discovered.
