Dozens of plugins for WordPress, the popular open source web blogging software, are now offline after a backdoor was discovered that was used to push malicious code to any website that relies on the plugin. The backdoor was discovered after new company owners purchased these plugins.
Anchor Hosting founder Austin Ginder sounded the alarm in a blog post last week, describing a supply chain attack on the maker of a WordPress plugin called Essential Plugin. Ginder said someone purchased the Essential Plugin last year and a backdoor was soon added to the plugin’s source code. The backdoor remained dormant until earlier this month when it was activated and began distributing malware to all websites where the plugin was installed.
Essential Plugin says it has over 400,000 plugin installations and over 15,000 customers on its website. WordPress’ plugin installation page states that the affected plugins are in over 20,000 active WordPress installations.
Plugins allow owners of WordPress-based websites to extend their site’s functionality, but doing so may give the plugin access to their installations, exposing these websites to malicious extensions and potential damage. However, Ginder warned that WordPress users are not notified of changes in ownership of plugins, leaving users exposed to potential takeover attacks from the new owners.
According to Ginder, this is the second hijacking of a WordPress plugin discovered in as many weeks. Security researchers have long warned about the risk of malicious actors buying software and changing code to compromise millions of computers around the world.
While the plugin has been removed from the WordPress directory and is now listed as closed as ‘permanent’, Ginder warned that WordPress owners should check if one of the malicious plugins is still installed and remove it. Ginder’s blog post lists the affected plugins.
Representatives for Essential Plugin did not respond to a request for comment.
