Several WordPress plug-ins have been taken offline after a hidden backdoor was discovered, enabling attackers to inject malicious code into websites using them. The vulnerability surfaced following the acquisition of Essential Plugin by a new corporate owner, after which the backdoor was added to the plug-in’s source code. Anchor Hosting founder Austin Ginder revealed the issue in a blog post last week, describing it as a supply chain attack.
The backdoor remained inactive until earlier this month, when it began distributing malicious code to affected sites. Essential Plugin reports over 400,000 installations and 15,000 customers, while WordPress’ plug-in directory indicates more than 20,000 active installations of the compromised plug-ins.
Plug-ins allow owners of WordPress-based websites to extend the site’s functionality, but in doing so grant the plug-ins access to their installations, which can open these websites to malicious extensions and potential compromise. But Ginder warned that WordPress users are not notified of any plug-ins’ change in ownership, exposing users to potential takeover attacks by their new owners.
According to Ginder, this is the second hijack of a WordPress plug-in discovered in as many weeks. Security researchers have long warned of the risks of malicious actors buying software and changing its code in order to compromise a large number of computers around the world.
While the plug-ins have been removed from WordPress’ directory and now list their closure as “permanent,” Ginder warned that WordPress owners should check if they still have one of the malicious plug-ins installed and remove it. Ginder has a list of the affected plug-ins in the blog post. Representatives for Essential Plugin did not respond to a request for comment.
Source: Tech Crunch