AccessPress: Malicious code in WordPress themes

IT security firm Jetpack has found malicious code in AccressPress WordPress themes that allow attackers to completely take over the affected sites. All themes and extensions loaded directly from the AccessPress site are affected.

Full access through malicious code

The suspected code was found in all themes and plug-ins offered by AccessPress. Said code is a dropper for a webshell that gives attackers full access to the respective page. The intrusion into the AccessPress system is said to have taken place in September 2021. Anyone who has installed or updated a theme or plug-in from this company since then should therefore examine their site as soon as possible and either update the extension in question or replace it with a replacement.

Jetpack lists exactly which themes and plug-ins are affected in detail in its security alert. However, Jetpack did not check paid extensions, which is why they do not appear in the list. Since the AccessPress system as a whole has been compromised, it can be assumed that all unlisted extensions are affected as well.

Remove malicious code

AccessPress initially removed all extensions from its website. In the meantime, they are gradually being uploaded in updated form. In order to remove the malicious code, the affected extensions must be removed from your own site – as already mentioned – and replaced if necessary. In addition, the modifications mentioned in the security message should be searched for in order to detect a possible built-in backdoor into the core files. To remove one, a clean WordPress version should be installed over the compromised one.

Extensions from WordPress repositories not affected

Jetpack further notes that the malicious code is only present in extensions downloaded directly from the vendor’s site. On the other hand, the same extensions that were loaded via the WordPress repository are not affected. They have nevertheless been removed; however, the new versions are not yet available here.