A significant security breach has emerged affecting numerous plug-ins associated with the popular open-source blogging platform, WordPress. The issue stems from a backdoor that was inserted into these plug-ins, enabling the distribution of harmful code to any site that employed them. This vulnerability came to light after a recent acquisition of the plug-ins by a new corporate entity.
Austin Ginder, the founder of Anchor Hosting, raised the alarm in a recent blog entry regarding a supply chain attack on a plug-in developer known as Essential Plugin. He detailed that last year, the Essential Plugin was sold, and shortly thereafter, the backdoor was integrated into the plug-ins’ source code. This backdoor remained dormant until the start of this month when it activated, targeting websites that utilised the afflicted plug-ins.
Essential Plugin boasts over 400,000 installations and more than 15,000 customers, as stated on its official website. According to WordPress’ plug-in directory, the compromised plug-ins had been installed on more than 20,000 active sites.
While plug-ins are designed to enhance the functionality of WordPress sites, they also require access to the underlying installation, which can inadvertently expose these sites to potential threats. Ginder cautioned that changes in plug-in ownership do not trigger user notifications, thereby leaving site administrators vulnerable to exploitation by new owners.
This incident marks the second known hijacking of a WordPress plug-in within a fortnight, highlighting ongoing concerns voiced by security researchers over the risks associated with malicious individuals acquiring software and modifying its code to infiltrate numerous computers globally.
Following the discovery of this backdoor, affected plug-ins have been removed from the WordPress directory, and their status is now listed as permanently closed. Ginder urged WordPress site owners to verify whether they have any of these compromised plug-ins still active and to remove them as necessary. He has provided a comprehensive list of the impacted plug-ins on his blog.
Representatives from Essential Plugin have yet to comment on this alarming situation.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
