Dozens of WordPress plug-ins went offline following the discovery of a backdoor that delivered malicious code to users. The issue arose after the corporate acquisition of the plug-in maker Essential Plugin, prompting security concerns.
Austin Ginder, founder of Anchor Hosting, detailed the supply chain attack in a blog post. He stated that a backdoor was added to the plug-ins’ source code soon after last year’s acquisition. This backdoor remained inactive until earlier this month when it began distributing malicious code to websites utilizing the affected plug-ins.
Essential Plugin claims over 400,000 plug-in installs and more than 15,000 customers, while the affected plug-ins have been installed on more than 20,000 active WordPress installations, according to WordPress’ plug-in install page. Although plug-ins enhance the functionality of WordPress websites, they also pose a security risk by allowing access to installations, potentially leading to breaches.
Stay Ahead of the Curve!
Don’t miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.
Subscribe Now
Ginder emphasized that WordPress users lack notifications regarding changes in plug-in ownership, which increases the risk of takeover attacks. According to him, this incident marks the second hijacking of a WordPress plug-in in two weeks. Security researchers have expressed concerns about the dangers posed by malicious actors acquiring software to alter its code for widespread compromise.
The affected plug-ins have been removed from WordPress’ directory and their closure is being labeled as “permanent.” Ginder urged WordPress site owners to verify and remove any remaining malicious plug-ins installed on their websites. A list of these plug-ins is available in his blog post. Essential Plugin representatives did not respond to a request for comment.
Featured image credit
