CVE-2021-24867 Overview
CVE-2021-24867 represents a significant supply chain attack affecting numerous WordPress plugins and themes from AccessPress Themes (aka Access Keys). The vendor's website was compromised, resulting in backdoored versions of their plugins and themes being distributed to unsuspecting users. This supply chain compromise allowed attackers to embed malicious code into legitimate software packages, potentially affecting thousands of WordPress installations worldwide.
Importantly, only plugins and themes downloaded directly from the AccessPress Themes vendor website were affected by this backdoor. Versions hosted on the official WordPress.org repository remained clean and uncompromised. However, all affected products have since been updated or removed from distribution to prevent further confusion and potential compromise.
Critical Impact
Supply chain attack enabling unauthorized backdoor access to WordPress sites, potentially allowing complete site takeover, data theft, and persistent malicious access.
Affected Products
- AccessPress Themes WordPress Plugins (40+ plugins including AccessPress Social Counter, AccessPress Social Share, AP Contact Form, and others)
- AccessPress Themes WordPress Themes (50+ themes including AccessPress Lite, AccessPress Parallax, AccessPress Mag, and others)
- All plugins and themes downloaded from the compromised AccessPress Themes vendor website (wordpress.org versions unaffected)
Discovery Timeline
- 2022-02-21 - CVE-2021-24867 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-24867
Vulnerability Analysis
This vulnerability falls under CWE-912 (Hidden Functionality), indicating the presence of undocumented functionality embedded within the software. The attack represents a classic supply chain compromise where threat actors gained access to the AccessPress Themes distribution infrastructure and injected malicious backdoor code into legitimate plugin and theme packages.
The backdoor provides attackers with persistent remote access capabilities to affected WordPress installations. Once a compromised plugin or theme is installed and activated on a WordPress site, the hidden functionality enables unauthorized access without requiring authentication. This type of supply chain attack is particularly insidious because users trust software from legitimate vendors and may not scrutinize the code before installation.
The scope of this compromise is extensive, affecting over 90 distinct plugins and themes from a single vendor. WordPress sites that downloaded and installed affected versions from the vendor's website between the time of compromise and discovery remained vulnerable until the backdoor was identified and removed.
Root Cause
The root cause of this vulnerability is a supply chain compromise of the AccessPress Themes vendor website infrastructure. Attackers successfully breached the vendor's distribution system and modified the legitimate plugin and theme packages to include backdoor functionality. This represents a failure in the vendor's infrastructure security, allowing malicious actors to tamper with software distribution channels.
The backdoor code was embedded in a way that allowed it to persist through normal plugin/theme updates when those updates were also distributed through the compromised channel. The hidden functionality was designed to blend in with legitimate code, making detection more difficult for site administrators who might review their installed plugins.
Attack Vector
The attack leverages a network-based vector through the compromised software distribution channel. The exploitation flow follows this pattern:
- Initial Compromise: Attackers breach the AccessPress Themes vendor website infrastructure
- Code Injection: Malicious backdoor code is injected into legitimate plugin and theme ZIP packages
- Distribution: Users download and install compromised packages believing they are legitimate
- Activation: Upon installation and activation, the backdoor becomes active on the victim's WordPress site
- Persistence: The hidden functionality provides ongoing unauthorized access to the compromised site
The backdoor allows attackers to execute arbitrary code, modify content, steal credentials, and potentially pivot to other systems accessible from the compromised WordPress installation. Since no user interaction beyond normal plugin/theme installation is required, the attack is particularly effective at scale.
Detection Methods for CVE-2021-24867
Indicators of Compromise
- Presence of any AccessPress Themes plugins or themes downloaded directly from the vendor website (not from wordpress.org)
- Unexpected files or modified core files within AccessPress plugin/theme directories
- Outbound network connections to unknown or suspicious external domains originating from WordPress
- Unauthorized administrative users or modified user privileges in WordPress
- Unusual PHP files with obfuscated code in the wp-content/plugins/ or wp-content/themes/ directories
Detection Strategies
- Compare file hashes of installed AccessPress plugins/themes against known clean versions from wordpress.org
- Implement file integrity monitoring to detect unauthorized modifications to WordPress plugin and theme files
- Review WordPress audit logs for suspicious administrative activities or unexpected user account changes
- Deploy web application firewall (WAF) rules to detect and block common backdoor communication patterns
- Perform regular malware scans using WordPress security plugins capable of identifying known backdoor signatures
Monitoring Recommendations
- Enable comprehensive logging for all WordPress administrative actions and file system changes
- Monitor outbound network traffic from web servers for connections to unusual destinations
- Set up alerts for any new administrative user creation or privilege escalation events
- Implement real-time file system monitoring on the wp-content directory structure
- Regularly audit installed plugins and themes against the official wordpress.org repository versions
How to Mitigate CVE-2021-24867
Immediate Actions Required
- Immediately audit all installed WordPress plugins and themes to identify any AccessPress Themes products
- Verify the download source of all AccessPress plugins/themes (vendor website vs. wordpress.org)
- Remove or replace any plugins/themes downloaded from the compromised vendor website
- Perform a comprehensive malware scan of the entire WordPress installation
- Reset all administrative passwords and review user accounts for unauthorized additions
Patch Information
Clean versions of affected plugins and themes have been made available through the official WordPress.org repository. Site administrators should remove any versions downloaded from the AccessPress Themes vendor website and replace them with verified clean versions from wordpress.org. Additionally, some plugins have been completely removed from distribution.
For detailed information about affected versions and remediation steps, consult the Jetpack Blog Backdoor Discovery article and the WPScan Vulnerability Report.
Workarounds
- Only download WordPress plugins and themes from the official wordpress.org repository
- Implement a policy requiring verification of software sources before installation on production sites
- Consider replacing affected AccessPress plugins/themes with alternative products from different vendors
- Deploy a web application firewall (WAF) to help detect and block backdoor activity
- Establish regular security audits and penetration testing for WordPress installations
# Check for AccessPress plugins/themes in WordPress installation
find /path/to/wordpress/wp-content/plugins -name "*.php" -exec grep -l "accesspress" {} \;
find /path/to/wordpress/wp-content/themes -name "*.php" -exec grep -l "accesspress" {} \;
# Compare installed plugin/theme checksums against clean versions
wp plugin verify-checksums --all
wp theme verify-checksums --all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
