AccessPress Themes customers should be on the lookout for updated versions of the company's WordPress themes and plug-ins, because according to Jetpack, older versions of the popular add-ons were compromised to distribute backdoors as part of a supply chain attack.
Jetpack says it discovered the backdoored versions of these add-ons in September 2021. It disclosed the problem to AccessPress Themes a few days later, but it didn't receive a response until it escalated the issue to the WordPress.org plug-ins team in October 2021.
AccessPress Themes then "immediately removed the offending extensions from their website," Jetpack says, and by January the company had released updated versions of most of the plug-ins. But it still hasn't updated any of the affected themes, according to Jetpack's advisory.
That means AccessPress Themes customers' response will depend on whether they're using one of the company's themes or one of its plug-ins. Jetpack says the former group should find a new theme; the latter group should make sure updated versions of the plug-ins are installed.
"Please note that this does not remove the backdoor from your system," Jetpack says, "so in addition you need to reinstall a clean version of WordPress to revert the core file modifications done during installation of the back door."
The issue doesn't affect AccessPress Themes add-ons downloaded from the official WordPress.org directory, Jetpack says, but users should install the patched versions of the extensions anyway. The company's themes have also been removed from the directory.
A list of compromised AccessPress Themes add-ons is available via Jetpack's blog post. Jetpack says that it only analyzed freely available themes and plug-ins, however, and says that AccessPress Themes customers should reach out to the company for info about paid add-ons.
AccessPress Themes doesn't appear to have acknowledged this incident. It last tweeted in March 2021, and it hasn't posted anything to Facebook since Jan. 5, which is before Jetpack's disclosure. The company didn't immediately respond to a request for comment.