Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites
Source: TechCrunch
Image Credits: Bryce Durbin / TechCrunch
Backdoor discovered in WordPress plugins
Dozens of plugins for the widely used open‑source blogging platform WordPress have been taken offline after a backdoor was discovered that could push malicious code to any site relying on the affected plugins. The backdoor was added after a new corporate owner purchased the plugins.
Anchor Hosting founder Austin Ginder sounded the alarm in a blog post last week, describing a supply‑chain attack on a WordPress plugin maker called Essential Plugin. Ginder said someone bought Essential Plugin last year (see Flippa article) and the backdoor was soon added to the plugins’ source code. It remained dormant until earlier this month, when it activated and began distributing malicious code to any website with the plugins installed.
Essential Plugin’s website states it has over 400,000 plugin installs and more than 15,000 customers. WordPress’s plugin directory indicates the affected plugins are present in over 20,000 active WordPress installations.
Impact and risks
Plugins extend a WordPress site’s functionality, but they also gain access to the site’s files and database. A malicious plugin can therefore compromise the entire installation. Ginder warned that WordPress users are not notified when a plugin changes ownership, leaving them vulnerable to takeover attacks by new owners.
According to Ginder, this is the second hijack of a WordPress plugin discovered within weeks. Security researchers have long warned about the risks of malicious actors buying software and altering its code to compromise large numbers of sites worldwide (Pluto Security article).
Remediation
The plugins have been removed from WordPress’s directory and are now listed as “permanent” closures (plugin page). WordPress site owners should:
- Check their installations for any of the malicious plugins.
- Remove any affected plugins immediately.
Ginder provides a list of the affected plugins in his blog post.
Representatives for Essential Plugin did not respond to a request for comment.