Security News > 2022 > January > Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

In yet another instance of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer's website were backdoored with malicious code in the first half of September 2021 with the goal of infecting further sites.

The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based company that boasts of no fewer than 360,000 active website installations.

"The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites," security researchers from JetPack, a WordPress plugin suite developer, said in a report published this week.

The findings also come as WordPress security company Wordfence disclosed details of a now-patched cross-site scripting vulnerability impacting a plugin called "WordPress Email Template Designer - WP HTML Mail" that's installed on over 20,000 websites.

According to statistics published by Risk Based Security this month, a whopping 2,240 security flaws were discovered and reported in third-party WordPress plugins towards the end of 2021, up 142% from 2020, when nearly 1,000 vulnerabilities were disclosed.

To date, a total of 10,359 WordPress plugin vulnerabilities have been uncovered.

News URL

https://thehackernews.com/2022/01/hackers-planted-secret-backdoor-in.html