WordPress’s security vendor, Jetpack, uncovered a widespread supply chain attack, which has successfully compromised 93 WordPress plugins and themes. Additionally, 53 plugins and 40 themes belonging to the developer AccessPress, had a backdoor inserted into their source code. AccessPress addons are used in over 360,000 active websites.
Admins who have unknowingly installed a compromised AccessPress plugin or theme will have introduced a malicious initial.php file, which functions as a dropper that embeds itself into the main theme directory and the functions.php file.
This file contains a base64 encoded payload that writes a web shell into the vars.php file. This gives an attacker remote access to the site with administrative privileges. An attacker can then perform whatever malicious actions they desire, as they essentially control the WordPress site.
It should be noted that a possible motive for such a large supply chain attack could be the desire to sell access to compromised sites for monetary gain on the dark web.
Simply upgrading to a new version of the affected plugins will not remove the backdoor(s) from a compromised website. It is recommended to view the original disclosure by Jetpack and utilise their Yara rules and remedial recommendations to best mitigate against the compromise. Full details of the affected plugins can also be found there.
Source: Bleeping Computer