Dozens of plugins for the widely used open source blogging software WordPress are now offline after a backdoor was discovered in them, used to push malicious code to any website that relied on the plugins. The backdoor was discovered after a new corporate owner purchased these plugins.
Anchor Hosting founder Austin Ginder sounded the alarm in a blog post last week describing a supply chain attack on a WordPress plugin builder called Essential Plugin. Ginder someone said last year purchase the Essential Plugin and the backdoor was soon added to the plugins source code. The backdoor lay dormant until earlier this month, when it was activated and began distributing malicious code to any website with the plugins installed.
Basic plugin states on its website that it has more than 400,000 plug-in installations and more than 15,000 customers. WordPress plugin installation page he says the affected plugins are in over 20,000 active WordPress installations.
Plugins allow WordPress-based site owners to extend the site’s functionality, but in doing so they grant the plug-ins access to their premises, which can open those sites up to malicious extensions and potential compromise. However, Ginder warned that WordPress users are not notified of any plugin ownership change, exposing users to potential takeover attacks by their new owners.
According to Ginder, that’s it second hijacking of a WordPress plugin discovered in as many weeks. Security researchers have long warned of the dangers of malicious actors buying software and changing its code in order to compromise large numbers of computers around the world.
While the addn have been removed from the WordPress directory and now report their shutdown as “permanent,” Ginder warned that WordPress owners should check if they still have one of the malicious plugins installed and remove it. Ginder has a list of affected plugins in the blog post.
Essential Plugin representatives did not respond to a request for comment.
