The Jetpack team announced that they have discovered suspicious codes in an AccessPress Themes theme. The investigation showed that AccessPress’ all themes and most of the plugins contain suspicious code, but only if downloaded from their official website. The same extensions on the WordPress.org directory don’t contain the suspicious code. The backdoor is tracked as CVE-2021-24867.
Compromised extensions
Jetpack contacted the vendor to share their suspicion of an attacker had breached the website, due to the way the extensions were compromised, to infect websites with their extensions. After escalating the situation to the WordPress.org plugin team, the company confirmed the breach. The company’s websites were breached in September of 2021, and the attacker injected a backdoor into the extensions available for download.
The company immediately removed the extensions from their website and later on replaced them with updated and clean versions. However, the affected themes have not been updated and are pulled from the WordPress.org theme repository. Users who installed any of the themes listed on their website should migrate to a new theme as soon as possible.
Affected Themes
accessbuddy 1.0.0
accesspress-basic 3.2.1
accesspress-lite 2.92
accesspress-mag 2.6.5
accesspress-parallax 4.5
accesspress-ray 1.19.5
accesspress-root 2.5
accesspress-staple 1.9.1
accesspress-store 2.4.9
agency-lite 1.1.6
aplite 1.0.6
bingle 1.0.4
bloger 1.2.6
construction-lite 1.2.5
doko 1.0.27
enlighten 1.3.5
fashstore 1.2.1
fotography 2.4.0
gaga-corp 1.0.8
gaga-lite 1.4.2
one-paze 2.2.8
parallax-blog 3.1.1574941215
parallaxsome 1.3.6
punte 1.1.2
revolve 1.3.1
ripple 1.2.0
scrollme 2.1.0
sportsmag 1.2.1
storevilla 1.4.1
swing-lite 1.1.9
the-launcher 1.3.2
the-monday 1.4.1
uncode-lite 1.3.1
unicon-lite 1.2.6
vmag 1.2.7
vmagazine-lite 1.3.5
vmagazine-news 1.0.5
zigcy-baby 1.0.6
zigcy-cosmetics 1.0.5
zigcy-lite 2.0.9
Affected Plugins
accesspress-anonymous-post
accesspress-custom-css
accesspress-custom-post-type
accesspress-facebook-auto-post
accesspress-instagram-feed
accesspress-pinterest
accesspress-social-counter
accesspress-social-icons
accesspress-social-login-lite
accesspress-social-share
accesspress-twitter-auto-post
accesspress-twitter-feed
ak-menu-icons-lite
ap-companion
ap-contact-form
ap-custom-testimonial
ap-mega-menu
ap-pricing-tables-lite
apex-notification-bar-lite
cf7-store-to-db-lite
comments-disable-accesspress
easy-side-tab-cta
everest-admin-theme-lite
everest-coming-soon-lite
everest-comment-rating-lite
everest-counter-lite
everest-faq-manager-lite
everest-gallery-lite
everest-google-places-reviews-lite
everest-review-lite
everest-tab-lite
everest-timeline-lite
inline-call-to-action-builder-lite
product-slider-for-woocommerce-lite
smart-logo-showcase-lite
smart-scroll-posts
smart-scroll-to-top-lite
total-gdpr-compliance-lite
total-team-lite
ultimate-author-box-lite
ultimate-form-builder-lite
woo-badge-designer-lite
wp-1-slider
wp-blog-manager-lite
wp-comment-designer-lite
wp-cookie-user-info
wp-facebook-review-showcase-lite
wp-fb-messenger-button-lite
wp-floating-menu
wp-media-manager-lite
wp-popup-banners
wp-popup-lite
wp-product-gallery-lite
As you can see in the table above, many WordPress themes and plugins are affected by the vulnerability. That means thousands of WordPress websites using those themes and plugins are open to supply chain attacks.
AccessPress Themes made an explanation about the breach,
« If you have any themes or plugins installed directly from AccessPress Themes or any other place except WordPress.org, you should upgrade immediately to a safe version as indicated in the tables above. If no safe version is available, replace it with the latest version from WordPress.org.
Please note that this does not remove the backdoor from your system, so in addition, you need to reinstall a clean version of WordPress to revert the core file modifications done during installation of the back door. »