On April 15th, TechCrunch reported that dozens of plugins for the popular open-source web blogging software WordPress have been removed from service due to a backdoor discovered in these plugins. This backdoor could push malicious code to all websites using these plugins. The backdoor was discovered after these plugins were acquired by a new company.
appreviewpros.com noted that Austin Ginder, founder of web hosting provider Anchor Hosting, warned in a blog post last week about a supply chain attack targeting WordPress plugin developer Essential Plugin. Ginder stated that Essential Plugin was acquired last year, and shortly thereafter, a backdoor was implanted into the plugin’s source code. This backdoor had been dormant until earlier this month when it was activated and began distributing malicious code to all websites that had the plugin installed.
Essential Plugin claims on its website that its plugins have been installed over 400,000 times and have over 15,000 customers. The WordPress plugin installation page shows that the affected plugin is being used on over 20,000 active WordPress sites.
Plugins allow WordPress website owners to extend the functionality of their websites, but this also means that plugins gain access to the website, potentially exposing these websites to malicious extensions or even intrusion. Ginder warned that WordPress users do not receive notifications of plugin ownership changes, which exposes them to the risk of being taken over and attacked by the new plugin owner.
According to Jinde, this is the second WordPress plugin hijacking incident discovered in just two weeks. Security researchers have long warned that the risk of malicious actors acquiring software and modifying its code to compromise large numbers of computers worldwide remains.
Although the relevant plugins have been removed from the official WordPress plugin repository and marked as permanently deprecated, Jinde still urges WordPress website owners to check if they still have these malicious plugins installed and remove them immediately. Jinde provided a complete list of affected plugins in his blog post.
About The Author
