Back
Technology

WordPress Plugins Removed Following Discovery of Backdoor After Ownership Change

Generated on: Last updated: 1 sources
View source

Backdoor Discovered in Dozens of WordPress Plugins, Prompting Removal

Dozens of WordPress plugins have been removed from the official directory after a backdoor was discovered in their source code. The backdoor, which activated earlier this month, was used to distribute malicious code to websites using the affected plugins. The discovery was made after the plugin maker, Essential Plugin, was acquired by a new corporate owner last year.

This incident was characterized as a supply chain attack, where malicious code was inserted into widely used software.

Discovery and Timeline of Events

The incident was detailed in a blog post by Austin Ginder, founder of Anchor Hosting. According to Ginder's account, Essential Plugin was purchased by an unidentified party last year. Following this acquisition, a backdoor was added to the source code of dozens of its plugins.

This backdoor remained inactive until earlier this month, when it activated and began pushing malicious code to websites where the plugins were installed.

Scale and Impact

Essential Plugin's website states the company has over 400,000 plugin installs and more than 15,000 customers. Data from WordPress's plugin directory indicates the specific affected plugins were active on over 20,000 WordPress installations at the time of their removal.

WordPress plugins are software add-ons that allow website owners to extend site functionality. By their nature, plugins are granted access to a WordPress installation, which can create a potential security vulnerability if compromised.

Response and Current Status

In response to the discovery, the affected plugins have been removed from the official WordPress plugin directory. Their listings now show a "permanent" closure status.

Austin Ginder has advised WordPress site administrators to check if they have any of the compromised plugins installed and to remove them. A list of the affected plugins is available in Ginder's blog post.

Representatives for Essential Plugin did not respond to requests for comment from the sources.

Related Context and Warnings

In his blog post, Ginder noted that this incident marks the second reported hijacking of a WordPress plugin discovered within a two-week period.

Security researchers have previously warned about the risks associated with malicious actors purchasing software companies to gain access and modify code for malicious purposes.

Ginder also stated that WordPress does not notify users when a plugin changes ownership.