Dozens of plugins for the widely used open source web blogging software WordPress are now offline after a backdoor was discovered in them, used to push malicious code to any website that relied on the plugins. The backdoor was discovered after a new corporate owner bought these plug-ins.
Anchor Hosting founder Austin Ginder sounded the alarm in a blog post last week describing a supply chain attack on a WordPress plugin maker called Essential Plugin. Ginder said someone last year bought Essential Plugin and the backdoor was soon added to the plugins’ source code. The backdoor sat dormant until earlier this month when it activated and began distributing malicious code to any website with the plugins installed.
Essential Plugin says on its website that it has over 400,000 plugin installs and more than 15,000 customers. WordPress’s plugin install page says the affected plugins are in over 20,000 active WordPress installations.
Plugins allow owners of WordPress-based websites to extend the site’s functionality, but in doing so grant the plugins access to their installations, which can open these websites to malicious extensions and potential compromise. But Ginder warned that WordPress users are not notified of any plugins’ change in ownership, exposing users to potential takeover attacks by their new owners.
According to Ginder, this is the second hijack of a WordPress plugin discovered in as many weeks. Security researchers have long warned of the risks of malicious actors buying software and changing its code in order to compromise a large number of computers around the world.
While the plugins have been removed from WordPress’ directory and now list their closure as “permanent,” Ginder warned that WordPress owners should check if they still have one of the malicious plugins installed and remove it. Ginder has a list of the affected plugins in the blog post.
Representatives for Essential Plugin did not respond to a request for comment.
