Dozens of plugins for the widely used open source web blogging software WordPress are currently taken offline due to the discovery of a backdoor that could be used to push malicious code to websites that rely on the plugins. The backdoor was discovered after a new company owner purchased these plugins.
Austin Ginder, founder of Anchor Hosting, sounded the alarm last week in a blog post describing a supply chain attack against a WordPress plugin maker called Essential Plugin. Ginder said someone bought the Essential Plugin last year and quickly added a backdoor to the plugin’s source code. The backdoor was inactive until earlier this month, when it became active and began distributing malicious code to websites where the plugin was installed.
Essential Plugin states on its website that the plugin has over 400,000 installations and over 15,000 customers. According to WordPress’ plugin installation page, the affected plugins are included in over 20,000 active WordPress installations.
Plugins allow owners of WordPress-based websites to extend the functionality of their sites, but they do so by granting installation access to plugins, potentially exposing these websites to malicious extensions and potential breaches. However, Ginder warned that WordPress users will not be notified of the plugin’s ownership change, leaving them open to potential takeover attacks by the new owner.
According to Ginder, this is the second WordPress plugin hijacking discovered in recent weeks. Security researchers have long warned about the risk of malicious attackers purchasing software and modifying its code to compromise large numbers of computers around the world.
Although these plugins have been removed from the WordPress directory and now lists their closure as “permanent,” Ginder warned that WordPress owners should check if any of the malicious plugins are still installed and remove them. Ginder’s blog post includes a list of affected plugins.
A representative for Essential Plugin did not respond to a request for comment.
Source link
