Categories: Technology

WordPress plugins Are Vulnerable To Open Backdoors

Criminals no longer just use browser extensions to gain users’ trust and spread their malware. In this way, they currently gain access to a large number of websites. A significant portion of all offerings on the web are now made available through the WordPress content management system. Website operators can easily integrate various additional features into their projects using add-ons.

Attackers are increasingly using this to carry out so-called supply chain attacks – in other words, individual pages are no longer hacked, but malicious code is smuggled in through supposedly trustworthy third-party modules. Security researchers found a total of 93 different WordPress plugins and themes that were used to outfit a website with a backdoor that gave the attacker full administrative access.

These are extensions delivered through the AccessPress Themes platform, so it’s obvious that the attackers could access them, according to a report from Ars Technica appears. This is also supported by the fact that the same plugins and themes offered through other platforms like WordPress.org come without malicious code.

Verification Required

The backdoor code is injected into a file called initial.php, which is usually not part of the installation. This is then integrated via a manipulated variant of functions.php. The strange code itself is camouflaged with a base64 encoding so that it is not immediately noticeable on a superficial inspection. The security researchers themselves found several dozen sites in this way backdoors. However, the number can be much larger. In any case, WordPress administrators who have used the said download platform to obtain plugins should therefore check if the backdoor has been able to sneak in them.

Recent Posts

Google Health: A bug is currently really annoying Pixel Watch users

An annoying software error is currently plaguing many owners of the Google Pixel Watch. The…

7 hours ago

Pixel Watch 5: Leak shows the design of the new Google smartwatch in advance

After the new Google smartphones in the Pixel 11 series, official marketing images of the…

7 hours ago

Epson is in court: first lawsuit over planned obsolescence

A French consumer protection association is taking Epson to court. The accusation is of planned…

7 hours ago

EU brings Meta to its knees: ChatGPT is running again in WhatsApp chat

After a months-long exclusion by the Facebook group Meta, the well-known AI chatbot ChatGPT has…

7 hours ago

Good news for Windows 11: Microsoft is banning advertising from search

Microsoft is fundamentally redesigning the search in Windows 11. The operating system loses advertising, forced…

7 hours ago

iOS 27 public beta is here: Apple starts the test phase for all iPhone users

Interested users can now install the first public beta version of iOS 27 on their…

8 hours ago