Over 90 AccessPress WordPress themes and plugins hacked, report says
WordPress admins who use plugins or themes downloaded from AccessPress are being urged to take action after researchers discovered backdoors were installed in numerous app maker products months ago.
AccessPress plugins and themes downloaded from WordPress.org are fine. However, those uploaded since September from AccessPress need to be mitigated.
According to researchers from WordPress security firm Jetpack, who discovered the compromise, as of January 18, most AccessPress plugins have been updated, however, as of this date, the affected themes have not been updated and had been pulled from the WordPress.org theme repository. It is unclear at the time of publication whether AccessPress themes have been updated.
Administrators should scan their systems for signs of compromise in addition to updating plugins and themes if their WordPress systems are using the affected extensions. Jetpack notes that upgrading to a new version of a theme or plugin does not remove the backdoor from a system, and indicates that administrators should reinstall a clean version of WordPress to undo core file changes. performed during the installation of the backdoor.
According to Sucuri researcher Ben Martin, once the AccessPress website was compromised, attackers placed PHP backdoors in many of its free plugins and themes. Martin said 40 themes were known to be affected, along with 53 plugins.
“The backdoor was quite simple,” he said, “but provided the attackers with full control over the victim’s websites.”
Nepal-based AccessPress creates 64 free and paid themes and templates to make things easier for WordPress designers, and 109 plugins to extend WordPress capabilities. Plugins include contact forms, blog managers, and e-commerce helpers.
WordPress plugins from various developers have been the target of hackers for years, who often use them to access online shoppers’ credit/debit card data.
Related Content: WordPress Plugin Vulnerabilities More Than Doubled in 2021
Jetpack said the infected extensions contained a dropper for a webshell that gives attackers full access to infected sites. The dropper is in the file
inital.php located in the main plugin or theme directory. When executed, installs a cookie-based webshell in
wp-includes/vars.php. The hull is installed in function just in front of the
wp_is_mobile() function with the name of
wp_is_mobile_fix(). This, Jetpack said, is likely intended not to arouse suspicion in anyone casually browsing the
vars.php to file.
Once the shell is installed, Jetpack said, the dropper will phone home by loading a remote image from the URL.
hxxps://www.wp-theme-connect.com/images/wp-theme.jpg with the URL of the infected site and information about the theme it uses as query arguments. Finally, it will remove the source file from the dropper to avoid detection when the request is complete.
“If you have any themes or plugins installed directly from AccessPress Themes or any other place except WordPress.org, you should immediately upgrade to a secure version as shown in the tables above”, said Jetpack. “If no secure version is available, replace it with the latest version from WordPress.org.”
Again, Jetpack urges administrators to reinstall a clean version of WordPress to undo the core file changes made during the backdoor installation.
“We strongly recommend that you have a security plan for your site that includes malicious file scanning and backups,” Jetpack said.
Sucuri said administrators should follow standard post-infection steps such as updating wp-admin administrator and database passwords as a precaution.