Dozens of plugins for the widely used open-source weblog software WordPress are now offline after a backdoor was discovered that was used to push malicious code to any website that uses the plugins. The backdoor was discovered after the new corporate owner purchased these plugins.
Anchor Hosting founder Austin Ginder sounded the alarm in a blog post last week Describes a supply chain attack on a WordPress plugin manufacturer called Essential Plugin. Ginder said someone last year Purchased Essential Plugin and the backdoor was soon added to the plugins source code. The backdoor remained dormant until earlier this month, when it was activated and began spreading malicious code to any website with the plugin installed.
Essential Plugin says on its website It has over 400,000 plug-in installations and over 15,000 customers. WordPress plugin installation page he says The affected plugins are on over 20,000 active WordPress installations.
Plugins allow owners of WordPress-based websites to extend the site’s functionality, but also give plugins access to their installations, which can open those websites to malicious extensions and potential compromises. But Ginder warned that WordPress users are not notified of any plugin ownership changes, leaving users exposed to potential takeover attacks by new owners.
According to Ginder, this second abduction of a WordPress plugin discovered within a few weeks. There are security researchers warned for a long time the risks of malicious actors purchasing the software and modifying its code to compromise large numbers of computers around the world.
While plug-ins removed From the WordPress directory and now marking their shutdown as “permanent,” Ginder warned that WordPress owners should still check to see if one of the malicious plugins is installed and remove it. Ginder has a list of affected plugins in a blog post.
Essential Plugin representatives did not respond to a request for comment.
