A recently discovered supply chain attack has reportedly put more than 300,000 WordPress sites at risk of attack.
Cybersecurity researchers from Jetpack (a WordPress security and optimization tool) found that a malicious actor compromised AccessPress, a developer of themes and add-ons for website builder.
AccessPress has created 40 themes and 53 plugins so far. All the free ones have been compromised so once installed they give the attackers full control over the website. Researchers have not tested the commercial ones and cannot confirm if they were compromised as well. The report also notes that the malicious code that grants access to attackers is covering its tracks with relative success. The only way to find out whether or not a website has been compromised is to use a core file integrity monitoring solution, it said.
Selling the vulnerability online
So far, researchers have found that the backdoor was used to redirect visitors to malware-dropping and scam sites….