Home > SWS Blog > 53 Plugins and 40 Themes from AccessPress Hacked
Wordpress Logo

53 Plugins and 40 Themes from AccessPress Hacked

WordPress admins who use any plugins or themes downloaded from AccessPress are being urged to take action after researchers discovered that backdoors were installed in many of the app maker’s products months ago.

The attack was discovered by researchers at Jetpack. Jetpack believes an external threat actor breached the AccessPress website to compromise the software and infect further WordPress sites.

How It Works

As soon as admins installed a compromised AccessPress product on their site, the actors added a new “initial.php” file into the main theme directory and included it in the main “functions.php” file.

This file contained a base64-encoded payload that writes a webshell to the “./wp-includes/vars.php” file.

Insert "nerd Speak" Here

The malicious code completed the backdoor installation by decoding the payload and injecting it into the “vars.php” file, essentially giving the threat actors remote control over the infected site.

The only way to detect this threat is to use a core file integrity monitoring solution, since the malware deletes the “initial.php” dropper file to cover its tracks.

Jetpack has a very detailed analysis on its website.

Who Is Infected

First and foremost, you need to have an infected plugin or theme installed.

If you have any of the themes below installed on your site, we recommend migrating to a different theme as soon as you’re able. As of January 18th, most AccessPress plugins had been updated; however, the affected themes had not been updated and were pulled from the WordPress.org theme repository.

 

Theme slugVersion
accessbuddy1.0.0
accesspress-basic3.2.1
accesspress-lite2.92
accesspress-mag2.6.5
accesspress-parallax4.5
accesspress-ray1.19.5
accesspress-root2.5
accesspress-staple1.9.1
accesspress-store2.4.9
agency-lite1.1.6
aplite1.0.6
bingle1.0.4
bloger1.2.6
construction-lite1.2.5
doko1.0.27
enlighten1.3.5
fashstore1.2.1
fotography2.4.0
gaga-corp1.0.8
gaga-lite1.4.2
one-paze2.2.8
parallax-blog3.1.1574941215
parallaxsome1.3.6
punte1.1.2
revolve1.3.1
ripple1.2.0
scrollme2.1.0
sportsmag1.2.1
storevilla1.4.1
swing-lite1.1.9
the-launcher1.3.2
the-monday1.4.1
uncode-lite1.3.1
unicon-lite1.2.6
vmag1.2.7
vmagazine-lite1.3.5
vmagazine-news1.0.5
zigcy-baby1.0.6
zigcy-cosmetics1.0.5
zigcy-lite2.0.9

Table 1: Themes and versions compromised by the attack

Affected plugins

If you have any of the following plugins with a version number in the Bad column installed on your site, we recommend upgrading to the version in the Clean column immediately. It’s worth noting that the plugins installed through WordPress.org are clean, even if they are listed in the Bad column. We still recommend upgrading to the known clean version to be on the safe side.

Plugins with no version number in the Clean column have not yet been upgraded, and we recommend replacing them with other plugins if at all possible.

Plugin slugBadCleanNote
accesspress-anonymous-post2.8.02.8.11
accesspress-custom-css2.0.12.0.2 
accesspress-custom-post-type1.0.81.0.9 
accesspress-facebook-auto-post2.1.32.1.4 
accesspress-instagram-feed4.0.34.0.4 
accesspress-pinterest3.3.33.3.4 
accesspress-social-counter1.9.11.9.2 
accesspress-social-icons1.8.21.8.3 
accesspress-social-login-lite3.4.73.4.8 
accesspress-social-share4.5.54.5.6 
accesspress-twitter-auto-post1.4.51.4.6 
accesspress-twitter-feed1.6.71.6.8 
ak-menu-icons-lite 1.0.9 
ap-companion 1.0.72
ap-contact-form1.0.61.0.7 
ap-custom-testimonial1.4.61.4.7 
ap-mega-menu3.0.53.0.6 
ap-pricing-tables-lite1.1.21.1.3 
apex-notification-bar-lite2.0.42.0.5 
cf7-store-to-db-lite1.0.91.1.0 
comments-disable-accesspress1.0.71.0.8 
easy-side-tab-cta1.0.71.0.8 
everest-admin-theme-lite1.0.71.0.8 
everest-coming-soon-lite1.1.01.1.1 
everest-comment-rating-lite2.0.42.0.5 
everest-counter-lite2.0.72.0.8 
everest-faq-manager-lite1.0.81.0.9 
everest-gallery-lite1.0.81.0.9 
everest-google-places-reviews-lite1.0.92.0.0 
everest-review-lite1.0.7  
everest-tab-lite2.0.32.0.4 
everest-timeline-lite1.1.11.1.2 
inline-call-to-action-builder-lite1.1.01.1.1 
product-slider-for-woocommerce-lite1.1.51.1.6 
smart-logo-showcase-lite1.1.71.1.8 
smart-scroll-posts2.0.82.0.9 
smart-scroll-to-top-lite1.0.31.0.4 
total-gdpr-compliance-lite1.0.4  
total-team-lite1.1.11.1.2 
ultimate-author-box-lite1.1.21.1.3 
ultimate-form-builder-lite1.5.01.5.1 
woo-badge-designer-lite1.1.01.1.1 
wp-1-slider1.2.91.3.0 
wp-blog-manager-lite1.1.01.1.2 
wp-comment-designer-lite2.0.32.0.4 
wp-cookie-user-info1.0.71.0.8 
wp-facebook-review-showcase-lite 1.0.9 
wp-fb-messenger-button-lite 2.0.7 
wp-floating-menu1.4.41.4.5 
wp-media-manager-lite1.1.21.1.3 
wp-popup-banners1.2.31.2.4 
wp-popup-lite1.0.8  
wp-product-gallery-lite1.1.1 

If you think you might be infected, note that if you downloaded the plugin or theme directly from the AccessPress website then the likelihood is great that you are infected. If you downloaded the plugin or theme directly from WordPress.org, then the likelihood is good that you are NOT compromised.

How Do I Clean This Up?

  1. If a theme is infected on your site, delete it and replace it with a new one. You cannot install the Accesspress theme again, as Accesspress has not removed the vulnerability from their themes as of the time this post was made. (NOTE** Deleting the compromised theme is extremely important; if you keep it on your server, then the compromise is still alive on your server and can be accessed by the bad actor)
  2. If the plugin is infected, delete the old plugin and install the new version. Do NOT just upgrade. If you simply upgrade, the bad actor may have created new files within the compromised plugin folders, and those compromised files would remain. Deleting and then reinstalling is the best option in a case like this.
  3. If you site has been compromised, you need to not only update or replace the plugin/theme, but you need to delete all wordpress core files from wp-admin and wp-includes and, the core WordPress files in the root folder (index.php, license.txt, readme.html, wp-activate.php, wp-blog-header.php, wp-comments-post.php, wp-config-sample.php, wp-cron.php, wp-links-opml.php, wp-load.php, wp-login.php, wp-settings.php,wp-signup.php, wp-trackback.php, xmlrpc.php), then using FTP upload clean WordPress core files. (NOTE ** wp-content is a WordPress core folder, but does not contain any files that have been compromised. If you delete this folder, you will likely be hating life for a while) (NOTE** Do NOT delete the wp-config.php file} {Make sure you have a good backup before you delete anything)
  4. The database does not appear to be affected.
  5. Change your WP-Admin password
  6. Change your database password

Resources
https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/
https://www.itworldcanada.com/article/over-90-wordpress-themes-and-plugins-from-accesspress-hacked-says-report/471193
https://www.bleepingcomputer.com/news/security/over-90-wordpress-themes-plugins-backdoored-in-supply-chain-attack/

Have Questions?

Has Your Website Been Hacked

Contact Us
First
Last