93 WordPress Themes And Plugins Compromised!

Over 90+ plugins and themes from AccessPress has been compromised? Are you using them? Check out the full list and what to do to protect your site.
Marie Aquino
January 25, 2022

A total of 93 WordPress themes and plugins (40 themes and 53 plugins) have been compromised in a massive supply chain attack, which provided a backdoor that gave threat-actors full access to the websites.

The attack was discovered by Jetpack researchers and the themes and plugins belong to the WordPress developer AccessPress. The developers add ons are used in over 360,000 active websites.

Plugins and themes downloaded from WordPress.org are ok, however, those that were downloaded since September from the AccessPress site need to be addressed.

What To Do If Your Site Uses The Compromised Plugins and Themes

If you have installed some of the 40 themes or 53 plugins (A full list of the compromised themes and plugins can be accessed in the Jetpack site ) that have been compromised, uninstalling, replacing, or updating them would not resolve the issue.

Due to this, it is advised that a scan of the site to look for signs of compromise must be done. Here are some checks that can be done, according to bleepingcomputer.com

  • Check your wp-includes/vars.php file around lines 146-158. If you see a “wp_is_mobile_fix” function there with some obfuscated code, you’ve been compromised.
  • Query your file system for “wp_is_mobile_fix” or “wp-theme-connect” to see if there are any affected files
  • Replace your core WordPress files with fresh copies.
  • Upgrade the affected plugins and switch to a different theme.
  • Change the wp-admin and database passwords.

In addition, Jetpack has also provided the following YARA rule that can be used to check if your site has been infected:

rule accesspress_backdoor_infection

{

strings:

   // IoC’s for the dropper

   $inject0 = “$fc = str_replace(‘function wp_is_mobile()’,”

   $inject1 = “$b64($b) . ‘function wp_is_mobile()’,”

   $inject2 = “$fc);”

   $inject3 = “@file_put_contents($f, $fc);”

   // IoC’s for the dumped payload

   $payload0 = “function wp_is_mobile_fix()”

   $payload1 = “$is_wp_mobile = ($_SERVER[‘HTTP_USER_AGENT’] == ‘wp_is_mobile’);”

   $payload2 = “$g = $_COOKIE;”

   $payload3 = “(count($g) == 8 && $is_wp_mobile) ?”

   $url0 = /https?:\/\/(www\.)?wp\-theme\-connect\.com(\/images\/wp\-theme\.jpg)?/

condition:

   all of ( $inject* )

   or all of ( $payload* )

   or $url0

}

AccessPress has released clean versions of the plugins, however, the themes haven’t been cleaned up yet and still pose a risk.

Changing to another theme is the only way to mitigate the security risks, for now.