ProHoster > Blog > internet news > Backdoor in 93 AccessPress plugins and themes used on 360 websites

Backdoor in 93 AccessPress plugins and themes used on 360 websites

The attackers managed to embed a backdoor into 40 plugins and 53 themes for the WordPress content management system, developed by AccessPress, which claims that its add-ons are used on more than 360 thousand sites. The results of the analysis of the incident have not yet been provided, but it is assumed that the malicious code was introduced during the compromise of the AccessPress website, making changes to the archives offered for download with already released releases, since the backdoor is present only in the code distributed through the official AccessPress website, but is absent in those the same releases of add-ons distributed through the WordPress.org directory.

The malicious changes were discovered by a researcher at JetPack (a division of WordPress developer Automatic) while examining malicious code found on a client's website. An analysis of the situation showed that malicious changes were present in the WordPress add-on downloaded from the official AccessPress website. Other add-ons from the same manufacturer were also subject to malicious modifications that allowed full access to the site with administrator rights.

During the modification, the attackers added the β€œinitial.php” file to the archives with plugins and themes, which was connected via the β€œinclude” directive in the β€œfunctions.php” file. To confuse the trail, the malicious content in the β€œinitial.php” file was camouflaged as a base64 encoded block of data. The malicious insert, under the guise of obtaining an image from the website wp-theme-connect.com, directly loaded the backdoor code into the wp-includes/vars.php file.

Backdoor in 93 AccessPress plugins and themes used on 360 websites
Backdoor in 93 AccessPress plugins and themes used on 360 websites

The first sites that included malicious changes to AccessPress add-ons were identified in September 2021. It is assumed that it was then that the backdoor was inserted into the add-ons. The first notification to AccessPress about the identified problem went unanswered, and AccessPress was only able to get attention after involving the WordPress.org team in the investigation. On October 15, 2021, the archives affected by the backdoor were removed from the AccessPress website, and new versions of the add-ons were released on January 17, 2022.

Sucuri separately examined sites on which affected versions of AccessPress were installed and identified the presence of malicious modules loaded through a backdoor that sent spam and redirected transitions to fraudulent sites (the modules were dated 2019 and 2020). It is assumed that the authors of the backdoor were selling access to compromised sites.

Themes in which the backdoor substitution is recorded:

  • accessbuddy 1.0.0
  • accesspress-basic 3.2.1
  • accesspress-lite 2.92
  • accesspress-mag 2.6.5
  • accesspress-parallax 4.5
  • accesspress-ray 1.19.5
  • accesspress-root 2.5
  • accesspress-staple 1.9.1
  • accesspress-store 2.4.9
  • agency-lite 1.1.6
  • aplite 1.0.6
  • bingle 1.0.4
  • blogger 1.2.6
  • construction-lite 1.2.5
  • doko 1.0.27
  • enlighten 1.3.5
  • fashstore 1.2.1
  • photography 2.4.0
  • gaga-corp 1.0.8
  • gaga-lite 1.4.2
  • one-space 2.2.8
  • parallax-blog 3.1.1574941215
  • parallaxsome 1.3.6
  • punte 1.1.2
  • revolve 1.3.1
  • ripple 1.2.0
  • scrollme 2.1.0
  • sportsmag 1.2.1
  • storevilla 1.4.1
  • swing-lite 1.1.9
  • the-launcher 1.3.2
  • the-monday 1.4.1
  • uncode-lite 1.3.1
  • unicon-lite 1.2.6
  • vmag 1.2.7
  • vmagazine-lite 1.3.5
  • vmagazine-news 1.0.5
  • zigcy-baby 1.0.6
  • zigcy-cosmetics 1.0.5
  • zigcy-lite 2.0.9

Plugins in which backdoor substitution was detected:

  • accesspress-anonymous-post 2.8.0 2.8.1 1
  • accesspress-custom-css 2.0.1 2.0.2
  • accesspress-custom-post-type 1.0.8 1.0.9
  • accesspress-facebook-auto-post 2.1.3 2.1.4
  • accesspress-instagram-feed 4.0.3 4.0.4
  • accesspress-pinterest 3.3.3 3.3.4
  • accesspress-social-counter 1.9.1 1.9.2
  • accesspress-social-icons 1.8.2 1.8.3
  • accesspress-social-login-lite 3.4.7 3.4.8
  • accesspress-social-share 4.5.5 4.5.6
  • accesspress-twitter-auto-post 1.4.5 1.4.6
  • accesspress-twitter-feed 1.6.7 1.6.8
  • ak-menu-icons-lite 1.0.9
  • ap-companion 1.0.7 2
  • ap-contact-form 1.0.6 1.0.7
  • ap-custom-testimonial 1.4.6 1.4.7
  • ap-mega-menu 3.0.5 3.0.6
  • ap-pricing-tables-lite 1.1.2 1.1.3
  • apex-notification-bar-lite 2.0.4 2.0.5
  • cf7-store-to-db-lite 1.0.9 1.1.0
  • comments-disable-accesspress 1.0.7 1.0.8
  • easy-side-tab-cta 1.0.7 1.0.8
  • everest-admin-theme-lite 1.0.7 1.0.8
  • everest-coming-soon-lite 1.1.0 1.1.1
  • everest-comment-rating-lite 2.0.4 2.0.5
  • everest-counter-lite 2.0.7 2.0.8
  • everest-faq-manager-lite 1.0.8 1.0.9
  • everest-gallery-lite 1.0.8 1.0.9
  • everest-google-places-reviews-lite 1.0.9 2.0.0
  • everest-review-lite 1.0.7
  • everest-tab-lite 2.0.3 2.0.4
  • everest-timeline-lite 1.1.1 1.1.2
  • inline-call-to-action-builder-lite 1.1.0 1.1.1
  • product-slider-for-woocommerce-lite 1.1.5 1.1.6
  • smart-logo-showcase-lite 1.1.7 1.1.8
  • smart-scroll-posts 2.0.8 2.0.9
  • smart-scroll-to-top-lite 1.0.3 1.0.4
  • total-gdpr-compliance-lite 1.0.4
  • total-team-lite 1.1.1 1.1.2
  • ultimate-author-box-lite 1.1.2 1.1.3
  • ultimate-form-builder-lite 1.5.0 1.5.1
  • woo-badge-designer-lite 1.1.0 1.1.1
  • wp-1-slider 1.2.9 1.3.0
  • wp-blog-manager-lite 1.1.0 1.1.2
  • wp-comment-designer-lite 2.0.3 2.0.4
  • wp-cookie-user-info 1.0.7 1.0.8
  • wp-facebook-review-showcase-lite 1.0.9
  • wp-fb-messenger-button-lite 2.0.7
  • wp-floating-menu 1.4.4 1.4.5
  • wp-media-manager-lite 1.1.2 1.1.3
  • wp-popup-banners 1.2.3 1.2.4
  • wp-popup-lite 1.0.8
  • wp-product-gallery-lite 1.1.1

Source: opennet.ru

Add a comment