Posted on January 24, 2022 at 2:25 PM

WordPress plugins and themes exploited by hackers to access legitimate websites

Hacking attacks continue to persist as victims fall to the new tricks and tactics used by hackers. The recent case is a supply chain attack that has launched secret backdoors to several themes and plugins for WordPress.

The hackers launched malicious code into these features to gain access to victims. The incident was detected during the first half of September 2021. Moreover, the hackers showed persistence as they looked towards infecting other sites.

Hackers plant backdoors on WordPress plugins and themes

By planting these backdoors, the hackers gained administrative control over various websites. These websites used 40 themes and 53 plugins developed by AccessPress Themes. This platform has more than 360,000 active website installations, which is proof of the wide user base affected following these attacks.

The report on these attacks was published by security researchers from JetPack, a WordPress plugin suite developer. The report published earlier in the week stated, “the infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites.”

The researchers also added that “the same extensions were fine if downloaded or installed directly from the WordPress [.] org directory.” The vulnerability has been given the identifier CVE-2021-24867.

A report on this vulnerability has also been shared by Sucuri, a website security platform. A separate analysis from the platform looked into some of the infected websites using this backdoor. These websites had similar features in common as they contained span payloads dated to around three years back.

The analysis could show the possibility that attackers behind the attack were selling access to these websites to other attackers launching other spam campaigns. Thus, the details accessed through the planted backdoors could be manipulated in the future and leave victims vulnerable to further attacks.

This is far from the first time vulnerabilities have been detected on WordPress websites. Earlier this month, a report from the eSentire cybersecurity firm noted that these websites affiliated with legitimate websites were being used by threat actors to deploy malware.

Due to the legitimate nature of the websites being used to deploy these attacks, many unsuspecting users were left vulnerable. Users targeted are those searching for intellectual property or postnuptial agreements on search engines. These users were targeted using an implant known as GootLoader.

AccessPress users urged to take precautions

Website owners that have installed plugins through the AccessPress Themes website have been urged to update to the latest version, which is safe and free from vulnerability. Additionally, a user can also replace it using the newest version from WordPress [.] org.

Furthermore, users have also been advised to use a new version of WordPress. Once this new version is deployed, it will get rid of the modifications made by the attackers to plant the backdoor.

Attackers have been targeting various WordPress plugins. The recent report comes shortly after Wordfence issued a report of a cross-site scripting (XSS) vulnerability that has since been patched.

Wordfence is the security company behind WordPress, and in a recent report, it stated that vulnerability was detected affecting the “WordPress Email Template Designer- WP HTML Mail.” The plugin is popular among WordPress users, and it has been installed on more than 20,000 websites.

The vulnerabilities were assigned the identifier CVE-2022-0218. It has been rated 8.3 on the CVSS vulnerability scoring system. Additionally, a patch for it will be issued as part of the upgrades released on January 13, 2022. The latest version that will patch this vulnerability will be version 3.1.

A statement from Chloe Chamberland regarding this vulnerability noted, “This flaw made it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor. This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.”

Another statistics report from Risk Based Security published earlier this month revealed the growing risk of vulnerabilities on WordPress plugins. The report noted that 2240 security flaws were detected on third-party WordPress plugins. This was detected towards the end of 2021, a 142% increase from 2020.

In 2020, security flaws in third-party WordPress plugins stood at around 1000. Over the years, 10,359 WordPress plugin security flaws have been detected, representing a worrisome figure, given the number of users that use these plugins.