Numerous plug-ins for the popular open-source blogging platform, WordPress, have been taken offline following the discovery of a backdoor intended to insert harmful code into websites using these extensions. This backdoor emerged after a corporate acquisition involving the plug-in development firm, Essential Plugin.
Austin Ginder, the founder of Anchor Hosting, raised concerns in a recent blog post regarding a supply chain attack aimed at Essential Plugin. He noted that the company, sold last year, saw that the new owners integrated the backdoor into the plug-in’s code. Initially dormant, this backdoor activated recently, distributing malicious code to any site that had the affected plug-ins installed.
Essential Plugin claims to support over 400,000 installations and more than 15,000 clients. According to WordPress’s plug-in installation page, the compromised plug-ins are active on over 20,000 WordPress sites. While plug-ins enhance the capabilities of WordPress sites, they also pose risks as they require access to the sites, which can lead to security vulnerabilities.
Ginder highlighted a critical issue: WordPress users are not notified when a plug-in changes ownership, thereby increasing the risk of takeover attacks by new owners. This incident marks the second case of a WordPress plug-in being hijacked within weeks, underscoring warnings from security experts about the dangers posed by malicious actors who acquire software to alter its code for widespread harm.
Although the compromised plug-ins have been removed from the WordPress directory and are now listed as permanently closed, Ginder cautioned WordPress users to verify if they still have the malicious plug-ins installed and urged immediate removal if present. He provided a list of the affected plug-ins in his blog post for reference. A request for comment from Essential Plugin representatives went unanswered.
This development serves as a stark reminder of the risks associated with plug-in ownership changes and the importance of maintaining vigilance in website security.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
