Even more WordPress themes have serious security backdoors

WordPress logo
(Image credit: WordPress)

A recently discovered supply chain attack has reportedly left more than 300,000 WordPress sites at risk of attack. 

Cybersecurity researchers from Jetpack (a security and optimization tool for  WordPress) found that a malicious actor has compromised AccessPress, a developer of themes and add-ons for the website builder.

AccessPress has so far built 40 themes and 53 plugins. All of the free ones have been compromised, so that once installed, they allow the attackers full control over the website. The researchers did not test the commercial ones, and cannot confirm if they’ve been compromised as well. The report also states that the malicious code that grants attackers access, covers its tracks with relative success. The only way to discover if a site was compromised or not, is to use a core file integrity monitoring solution, it was said.

Selling the vulnerability online

So far, researchers have found, the backdoor was used to redirect visitors to malware-dropping and scam sites. Given the complexity of the initial compromise, and the lack of sophistication in the second stage, researchers are inclined to believe that the original malicious actors most likely sold the access to third parties on the dark web.

BleepingComputer says 360,000 websites are using AccessPress’ add-ons and themes. JetPack first discovered the threat in September 2021, while AccessPress pulled them from the store on October 15. After a few months of tackling the issue, the developers issued a new, clean version, of all the affected plugins on January 17.

However, if the site has already been compromised, simply installing the latest version will not remove the backdoor. It will just prevent future threats. So far, BleepingComputer says, the only way to clean up the site is to migrate to a different theme. 

To learn if your site was compromised, WordPress users can follow the instructions found here

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
WordPress
Another top WordPress plugin found carrying critical security flaws
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Latest in Website Building
Wix automation
The world's leading website builder aims to save businesses time with new tool
Squarespace
Build a website for less with 10% off Squarespace subscriptions
Squarespace
Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Latest in News
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently making a major announcement about Avengers: Doomsday's cast on YouTube, and I think it's going to be a long-winded reveal
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
Samsung Galaxy S25 Edge colors seemingly revealed in new video, and there’s another sign of an imminent launch
Microsoft Copiot Studio deep reasoning and agent flows
Microsoft reveals OpenAI-powered Copilot AI agents to bosot your work research and data analysis