WordPress admins who use any plugins or themes downloaded from AccessPress are being urged to take action after researchers discovered that backdoors were installed in many of the app maker’s products months ago.

AccessPress plugins and themes downloaded from WordPress.org are okay. However, those downloaded since September from AccessPress need mitigation.

According to researchers at WordPress security firm Jetpack, who discovered the compromise, as of January 18th most AccessPress plugins had been updated, however, as of that date the affected themes had not been updated, and were pulled from the WordPress.org theme repository. It isn’t clear at the time of publishing if AccessPress themes had been updated.

Admins should scour their systems for signs of compromise in addition to updating plugins and themes if their WordPress systems use the affected extensions. Jetpack notes that upgrading to a new version of a theme or plugin doesn’t remove the backdoor from a system, and says admins should reinstall a clean version of WordPress to revert the core file modifications done during installation of the backdoor.

According to researcher Ben Martin at Sucuri, once the AccessPress website was compromised the attackers placed PHP backdoors into many of its free plugins and themes. Martin said 40 themes were known to be affected, as well as 53 plugins.

“The backdoor was quite simple,” he said, “but provided the attackers with full control over the victim’s websites.”

Based in Nepal, AccessPress makes 64 free and paid themes and templates to make things easier for WordPress designers, and 109 plugins to expand WordPress capabilities. Plugins include contact forms, blog managers and e-commerce aids.

WordPress plugins from a variety of developers have been targets for hackers for years, who often use them to access credit/debit card data from online shoppers.

Related content: Vulnerabilities in WordPress plugins more than doubled in 2021

Jetpack said the infected extensions contained a dropper for a webshell that gives the attackers full access to the infected sites. The dropper is located in the file inital.php located in the main plugin or theme directory. When run it, installs a cookie based webshell in wp-includes/vars.php. The shell is installed as a function just in front of the wp_is_mobile() function with the name of wp_is_mobile_fix(). This, Jetpack said, is presumably to not arouse suspicion to anybody casually scrolling through the vars.php file.

Once the shell is installed, Jetpack said, the dropper will phone home by loading a remote image from the URL hxxps://wp-theme-connect.com/images/wp-theme.jpg with the url of the infected site and information about which theme it uses as query arguments. Finally, it will remove the dropper source file to avoid detection when the request is finished executing.

“If you have any themes or plugins installed directly from AccessPress Themes or any other place except WordPress.org, you should upgrade immediately to a safe version as indicated in the tables above,” Jetpack said. “If no safe version is available, replace it with the latest version from WordPress.org.”

Again, Jetpack urges admins to reinstall a clean version of WordPress to revert the core file modifications done during installation of the back door.

“We strongly recommend that you have a security plan for your site that includes malicious file scanning and backups,” Jetpack said.

Sucuri said admins should follow the standard post-infection steps like updating wp-admin administrator and database passwords as a precaution.