Dozens of plugins for the widely used open source web blogging software WordPress are now offline after a backdoor was discovered in them, used to send malicious code to any website that relied on the plugins. The backdoor was discovered after a new corporate owner purchased these add-ons.
Anchor Hosting Founder Austin Ginder Sounded the Alarm in a blog post last week which describes a supply chain attack against a WordPress plugin creator called Essential Plugin. Ginder said that someone last year I bought the essential plugin and soon the backdoor was added to the plugins source code. The backdoor remained dormant until earlier this month, when it became active and began distributing malicious code to any website that had the plugins installed.
Essential complement it says on their website which has over 400,000 plugin installations and over 15,000 customers. WordPress Plugin Installation Page says The affected plugins are found in over 20,000 active WordPress installations.
Plugins allow WordPress-based website owners to extend the site’s functionality, but doing so grants the plugins access to their facilities, which can open these websites to malicious extensions and potential compromise. But Ginder warned that WordPress users are not notified of any plugin’s ownership change, exposing them to potential takeover attacks by their new owners.
According to Ginder, this is the second kidnapping of a WordPress plugin discovered in as many weeks. Security researchers have warned for a long time of the risks of malicious actors purchasing software and changing its code to compromise large numbers of computers around the world.
While the accessories have been eliminated from the WordPress directory and now listing its shutdown as “permanent,” Ginder warned that WordPress owners should check to see if they still have one of the malicious plugins installed and remove it. Ginder has a list of affected plugins in the blog post.
Representatives for Essential Plugin did not respond to a request for comment.
