Post by account_disabled on Feb 25, 2024 4:16:26 GMT
In recent days, Automattic researchers have discovered that several themes and plugins developed by AccessPress have been compromised by inserting backdoors exploiting what we can define as supply-chain attacks. It is estimated that around 360,000 WordPress-based sites are affected. The supply-chain attack allows access to the site hosting the software, replacing the original version with an infected version. The backdoor code is present in 40 themes and 53 AccessPress plugins : we emphasize that the versions published in the WordPress.org repositories have not been compromised.
Jetpack claims to have discovered this vulnerability in September 2021, immediately Chinese Student Phone Number List communicating it to AccessPress who responded a month late saying they had removed the affected extensions. AccessPress released updated versions of the plugins in January; however, according to Jetpack, the affected themes have not yet been updated. Content index: Backdoor analysis WordPress themes and plugins involved How to protect WordPress Backdoor analysis This backdoor allows you to take control of sites and has primarily been exploited to distribute spam and malware . As we can read directly from the official Jetpack website, the malicious code was added to the file initial.php located in the main plugin or in the theme directory.
When run, it installs a cookie-based webshell in the ./wp-includes/vars.php. the shell is installed just as a function in front of wp_is_mobile() with the name wp_is_mobile_fix(). first phase backdoor analysis Once the shell is installed, a remote image from the URL hxxps://www.wp-theme-connect.com/images/wp-theme.jpg will be loaded with the URL of the infected site and information about the theme used. second phase backdoor analysis We recommend that anyone who installed plugins directly from the AccessPress Themes website download the themes and plugins directly from WordPress.org. or immediately upgrade them to a secure version. The problem does not concern the AccessPress components installed directly from the official WordPress.
Jetpack claims to have discovered this vulnerability in September 2021, immediately Chinese Student Phone Number List communicating it to AccessPress who responded a month late saying they had removed the affected extensions. AccessPress released updated versions of the plugins in January; however, according to Jetpack, the affected themes have not yet been updated. Content index: Backdoor analysis WordPress themes and plugins involved How to protect WordPress Backdoor analysis This backdoor allows you to take control of sites and has primarily been exploited to distribute spam and malware . As we can read directly from the official Jetpack website, the malicious code was added to the file initial.php located in the main plugin or in the theme directory.
When run, it installs a cookie-based webshell in the ./wp-includes/vars.php. the shell is installed just as a function in front of wp_is_mobile() with the name wp_is_mobile_fix(). first phase backdoor analysis Once the shell is installed, a remote image from the URL hxxps://www.wp-theme-connect.com/images/wp-theme.jpg will be loaded with the URL of the infected site and information about the theme used. second phase backdoor analysis We recommend that anyone who installed plugins directly from the AccessPress Themes website download the themes and plugins directly from WordPress.org. or immediately upgrade them to a secure version. The problem does not concern the AccessPress components installed directly from the official WordPress.