Dozens of WordPress plug-ins went offline following the discovery of a backdoor that delivered malicious code to users. The issue arose after the corporate acquisition of the plug-in maker Essential Plugin, prompting security concerns.
Austin Ginder, founder of Anchor Hosting, detailed the supply chain attack in a blog post. He stated that a backdoor was added to the plug-ins’ source code soon after last year’s acquisition. This backdoor remained inactive until earlier this month when it began distributing malicious code to websites utilizing the affected plug-ins.
Essential Plugin claims over 400,000 plug-in installs and more than 15,000 customers, while the affected plug-ins have been installed on more than 20,000 active WordPress installations, according to WordPress’ plug-in install page. Although plug-ins enhance the functionality of WordPress websites, they also pose a security risk by allowing access to installations, potentially leading to breaches.
Ginder emphasized that WordPress users lack notifications regarding changes in plug-in ownership, which increases the risk of takeover attacks. According to him, this incident marks the second hijacking of a WordPress plug-in in two weeks. Security researchers have expressed concerns about the dangers posed by malicious actors acquiring software to alter its code for widespread compromise.
The affected plug-ins have been removed from WordPress’ directory and their closure is being labeled as “permanent.” Ginder urged WordPress site owners to verify and remove any remaining malicious plug-ins installed on their websites. A list of these plug-ins is available in his blog post. Essential Plugin representatives did not respond to a request for comment.
