The developer that created these add-ons, AccessPress Themes, is believed to have been compromised.
I’ve been writing about tech, including everything from privacy and security to consumer electronics and startups, since 2011 for a variety of publications.
AccessPress Themes customers should be on the lookout for updated versions of the company’s WordPress themes and plug-ins, because according to Jetpack, older versions of the popular add-ons were compromised to distribute backdoors as part of a supply chain attack.
Jetpack says(Opens in a new window) it discovered the backdoored versions of these add-ons in September 2021. It disclosed the problem to AccessPress Themes a few days later, but it didn’t receive a response until it escalated the issue to the WordPress.org plug-ins team in October 2021.
AccessPress Themes then “immediately removed the offending extensions from their website,” Jetpack says, and by January the company had released updated versions of most of the plug-ins. But it still hasn’t updated any of the affected themes, according to Jetpack’s advisory.
That means AccessPress Themes customers’ response will depend on whether they’re using one of the company’s themes or one of its plug-ins. Jetpack says the former group should find a new theme; the latter group should make sure updated versions of the plug-ins are installed.
“Please note that this does not remove the backdoor from your system,” Jetpack says, “so in addition you need to reinstall a clean version of WordPress to revert the core file modifications done during installation of the back door.”
The issue doesn’t affect AccessPress Themes add-ons downloaded from the official WordPress.org directory, Jetpack says, but users should install the patched versions of the extensions anyway. The company’s themes have also been removed from the directory.
A list of compromised AccessPress Themes add-ons is available via Jetpack’s blog post. Jetpack says that it only analyzed freely available themes and plug-ins, however, and says that AccessPress Themes customers should reach out to the company for info about paid add-ons.
AccessPress Themes doesn’t appear to have acknowledged this incident. It last tweeted in March 2021, and it hasn’t posted anything to Facebook since Jan. 5, which is before Jetpack’s disclosure. The company didn’t immediately respond to a request for comment.
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Your subscription has been confirmed. Keep an eye on your inbox!
Advertisement
I’ve been writing about tech, including everything from privacy and security to consumer electronics and startups, since 2011 for a variety of publications.
Read Nathaniel’s full bio
PCMag.com is a leading authority on technology, delivering lab-based, independent reviews of the latest products and services. Our expert industry analysis and practical solutions help you make better buying decisions and get more from technology.
© 1996-2022 Ziff Davis. PCMag Digital Group
PCMag, PCMag.com and PC Magazine are among the federally registered trademarks of Ziff Davis and may not be used by third parties without explicit permission. The display of third-party trademarks and trade names on this site does not necessarily indicate any affiliation or the endorsement of PCMag. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.