Over 300,000 WordPress sites have been left vulnerable and open to attack, following the discovery of a supply chain attack.

Bleeping Computer reports that cybersecurity researchers for Jetpack, a security and optimisation tool for WordPress, found that a malicious actor had compromised AccessPass, a developer of themes and add-ons for the CMS platform.

AccessPass has a portfolio of 40 themes and 53 plugins, and all of the free ones are reported to have been compromised so that when installed, they allow cybercriminals full control over the website.

According to the report, the researchers did not test commercial plugins or themes and are as yet unable to confirm if they have also been compromised.

The report also states that the malicious code that grants attackers access, covers its tracks with relative success. The only way to discover if a site was compromised or not, is to use a core file integrity monitoring solution, it was said.

Selling the vulnerability online

The researchers found that the backdoor was used to redirect visitors to malware-installing and scam sites. The lack of complexity to the second step of the hack has led researchers to believe that the original malicious actors likely sold access to third parties on the dark web.

The vulnerability affects 360,000 websites that are using AccessPass’ add-ons and themes. It was dissevered by Jetpack in September last year and were pulled from the store by the developer, before being replaced with updated and clean versions on 17 January.

However, if the site has already been compromised, simply installing the latest version will not remove the backdoor. It will just prevent future threats. At present, the only way to clean up the site is to migrate to a different theme. 

To learn if your site was compromised, WordPress users can follow the instructions found here. 

If you’re looking for web development in Hull, get in touch today.