Open Source 2021-09-02 · 43 days ·Backdoor, Remote Access

AccessPress add-ons created backdoors

AccessPress Themes' own download site was breached, turning legitimate WordPress themes and plugins into backdoored vendor ZIPs while the WordPress.org copies remained clean.

Story

The AccessPress compromise was a vendor-site distribution attack. The same themes and plugins were clean when installed from WordPress.org, but the ZIPs served from AccessPress Themes carried added PHP. Users chose the vendor's official site and received different code.

The injected dropper lived in inital.php. When the extension ran, it modified wp-includes/vars.php and installed a cookie-driven webshell named wp_is_mobile_fix near the legitimate wp_is_mobile() function. The dropper then contacted wp-theme-connect.com and removed itself.

Jetpack found plugin timestamps clustered in early September 2021 and theme timestamps on September 22, with modified files appearing minutes after the archive contents. That pattern fit a coordinated rewrite of released ZIPs rather than ordinary development.

The blast radius was broad: dozens of free themes and plugins, plus unknown exposure for paid products. Cleanup required more than replacing the extension, because the backdoor wrote into WordPress core files after installation.

Affected Artifacts

ap-companion

wordpress · accesspressthemes.com · Plugin
Observed
2021-09-02 to 2021-10-15
Compromised Versions
Fixed
Not listed
  • Jetpack notes this plugin was not updated but was believed clean because it was not originally available on the AccessPress Themes website.

Incident Context

Motive
Remote Access
Cause
Compromised Infrastructure
Transitive
No
User Impact
360000

Indicators

  • Locationpkg:generic/accesspress-theme?repository_url=https://accesspressthemes.com
  • Locationpkg:generic/accesspress-plugin?repository_url=https://accesspressthemes.com
  • fileinital.php
  • filewp-includes/vars.php
  • functionwp_is_mobile_fix
  • domainwp-theme-connect.com
  • Hashsha256:0918af9a5c6060dec985b98bbf54030cd29f1701ca9fdb6abfc1e39f90e5113e

Notes

  • Legacy version notes: 40 themes and 53 plugins from AccessPress Themes or Access Keys vendor downloads; WordPress.org-hosted copies were reported clean by Jetpack

External References

Source record: oss/attacks/accesspress/meta.yaml