Dozens of WordPress plug-ins are offline following the discovery of a backdoor that distributed malicious code to websites utilizing these plug-ins. This backdoor was unearthed after the acquisition of the plug-in maker, Essential Plugin.

Austin Ginder, founder of Anchor Hosting, reported the incident in a blog post detailing a supply chain attack against Essential Plugin. Ginder noted that after the company was acquired last year, a backdoor was introduced into the plug-ins’ source code. This backdoor remained dormant until recently, when it began to push malicious code to any affected website.

Essential Plugin claims to have over 400,000 plug-in installs and more than 15,000 customers. Currently, the affected plug-ins are present in over 20,000 active WordPress installations, exposing many websites to potential security vulnerabilities.

Plug-ins enhance WordPress functionality but grant significant access to their host installations. Ginder stated that users are not informed about ownership changes of plug-ins, thus increasing the risk of takeover attacks by new owners.

This incident marks the second reported hijacking of a WordPress plug-in in the past two weeks. Ginder emphasized the growing concern among security researchers regarding malicious actors who acquire software solely to alter its code for widespread network compromise.

The compromised plug-ins have been removed from the WordPress directory and are now listed as permanently closed. Ginder advised WordPress owners to verify their installations and remove any malicious plug-ins. He has provided a list of the affected plug-ins in his blog post.


Featured image credit