Security specialist Jetpack discovered backdoors in legitimate WordPress plugins from AccessPress Themes, a WordPress dev. The backdoors allow hackers to take complete control of WordPress websites.

Jetpack’s investigation shows that AccessPress Themes’ WordPress plugins and themes feature a backdoor that provides hackers with complete administrative control over WordPress websites. At least 93 modules are affected: 40 AccessPress themes and 53 plugins.

Themes and plugins with backdoors

According to Jetpack, backdoor timestamps indicate that the vulnerabilities were introduced in a coordinated effort shortly after the themes’ and plugins’ release. The infected modules were available directly from the AccessPress website. AccessPress themes and plugins available through WordPress.org were found to be clean. The effort was carried out in September of last year.

The infected themes and plugins contain a script, initial.php. The script is added to the default directory and default functions.php file. The script acts as a dropper. It uses camouflaged code to download a payload from wp-theme-connect.com. The payload is used to install a backdoor. Once installed, the dropper self-destructs to disguise the attack.

According to Jetpack, the hackers use the backdoor to sell access to compromised websites. In this way, infected sites can be used to spread spam and redirect to malicious websites.

Overview of affected tools

Jetpack published a complete overview of affected AccessPress themes and plugins. The experts recommend that systems running the software be thoroughly inspected for backdoors. The overview also includes clean plugin versions and ways to address the issue.