Supply Chain Attack Compromises Dozens of WordPress Plugins and Themes

Bitdefender Download

Last week, researchers disclosed a supply chain attack where attackers deployed a backdoor in several WordPress themes and plugins that were hosted on a developer’s website.

In the incident in September of last year, the threat actors reportedly compromised 53 plugins and 40 themes. The impacted products belong to AccessPress Themes, a popular WordPress theme and plugin vendor. The issue, tracked as CVE-2021-24867, is currently reserved.

While investigating a website that was using a theme by AccessPress Themes, Jetpack’s security team discovered suspicious code within the extension. Upon further investigation, researchers discovered that all the vendor’s themes and most of its plugins held the same code.

However, this only applied to products on the AccessPress Themes website, so users who downloaded the extensions straight from WordPress were in the clear.

The compromised themes and plugins hosted a web shell dropper that could grant attackers full access to the impacted websites, according to Jetpack’s advisory.

Reportedly, the dropper was planted in the initial.php file, located in the main folder of the extension. Running the dropper installed a cookie-based web shell in wp-includes/vars.php. It’s worth noting that attackers installed the shell as a function to prevent detection from anyone scrolling through the vars.php file.

After installing the shell, the dropper contacts the perpetrator’s C2 and sends it critical data cloaked as query arguments, such as the URL of the infected website and the theme it uses. Once it’s done, it removes the dropper source file to avoid suspicion.

You can check Jetpack’s advisory for a full list of compromised themes and plugins and a YARA rule you can use to check if your site has been compromised. If you want to make sure your website hasn’t been impacted by this attack, you can perform the following actions:

  • Check lines 146-158 of your wp-includes/vars.php file for a wp_is_mobile_fix function holding obfuscated lines of code; if you find the code, your website has been compromised
  • Query your file system for wp_is_mobile_fix or wp-theme-connect to detect potentially affected files