Jetpack Discovers Backdoor in Popular WordPress Themes and Plugins
AccessPress Themes customers should be on the lookout for updated versions of the company’s WordPress themes and plugins, as according to Jetpack, older versions of popular plugins have been compromised to distribute backdoors as part of a supply chain attack.
Jetpack says it discovered the stolen versions of these add-ons in September 2021. It disclosed the issue to AccessPress Themes a few days later, but did not receive a response until it escalated the issue to the WordPress.org Plugins Team. in October 2021.
AccessPress Themes then “immediately removed the offending plugins from their website,” says Jetpack, and by January the company had released updated versions of most of the plugins. But it still hasn’t updated any of the affected themes, according to Jetpack’s opinion.
This means that the response of AccessPress Themes customers will depend on whether they use one of the company’s themes or one of its plugins. Jetpack says the old band should come up with a new theme; the latter group should ensure that updated versions of plug-ins are installed.
“Please note that this does not remove the backdoor from your system,” says Jetpack, “so additionally you need to reinstall a clean version of WordPress to undo the core file changes made while installing the backdoor” .
The issue does not affect AccessPress Themes add-ons downloaded from the official WordPress.org directory, Jetpack says, but users should still install the patched versions of the extensions. Company themes have also been removed from the directory.
Recommended by our editors
A list of compromised AccessPress Themes add-ons is available via the Jetpack blog. However, Jetpack says it only analyzed themes and plugins available for free, and says AccessPress Themes customers should contact the company for information about paid add-ons.
AccessPress Themes does not appear to have acknowledged this incident. He last tweeted in March 2021 and hasn’t posted anything on Facebook since Jan. 5, which was before Jetpack’s disclosure. The company did not immediately respond to a request for comment.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.