JetPack discovered a backdoor found within AccessPress themes and plugins. Every theme and most plugins from AccessPress contain this malware, but only if downloaded directly from the company’s website. Downloads and installation within the WordPress.org directory aren’t affected. The vendor has since removed the infected extensions from its website.
Malware With AccessPress Themes
The investigation revealed that AccessPress Themes was breached in the first half of September 2021. The attacker injected the backdoor in the hopes of infecting multiple websites.
- Vendor: AccessPress Themes
- Vendor url: https://accesspressthemes.com
- Plugins: multiple
- Themes: multiple
- CVE: CVE-2021-24867
An analysis revealed how the infected extensions contained a dropper for a webshell that gives the attackers full access to the infected sites. The dropper is located in the file inital.php located in the main plugin or theme directory. When run it installs a cookie-based webshell in wp-includes/vars.php. The shell is installed as a function just in front of the wp_is_mobile() function with the name of wp_is_mobile_fix().
After the shell is installed the dropper will phone home by loading a remote image from the URL hxxps://www.wp-theme-connect.com/images/wp-theme.jpg with the url of the infected site and information about which theme it uses as query arguments.
Most of the timestamps in the plugins are from September 6 and 7, with a few files from September 2 and 3. Similarly for the themes, all were compromised on September 22, except accessbuddy on September 9.
JetPack maintains a list of affected AccessPress Themes and plugins on its website, noting which plugin versions are bad and which ones are clean. The plugins installed through WordPress.org are clean, even if they are listed in the Bad column.
Removing the infected themes and plugins does not remove the backdoor. Instead, a clean reinstallation of WordPress is needed to revert the core file modifications.