Customers of AccessPress Themes should keep an eye out for updated versions of the company’s WordPress themes and plug-ins, as older versions of the popular add-ons were allegedly used to propagate backdoors as part of a supply chain attack, according to Jetpack.

Jetpack discovers backdoor in popular WordPress Themes, Plugins

According to Jetpack, the backdoored versions of these add-ons were found in September 2021. It reported the problem to AccessPress Themes a few days later, but didn’t hear back until October 2021, when it escalated the matter to the WordPress.org plug-ins team.

According to Jetpack, AccessPress Themes “quickly removed the infringing extensions from their website,” and by January, most of the plug-ins had been updated. According to Jetpack’s alert, it hasn’t updated any of the affected themes.

It means that customers’ reactions will differ depending on whether or not they’re using one of AccessPress Themes’ themes or plug-ins. According to Jetpack, the first group should look for a new theme, while the second group should make sure that the plug-ins are updated.

“Please be warned that this does not remove the backdoor from your system,” Jetpack warns, “therefore you’ll need to reinstall a fresh model of WordPress to undo the core file modifications made throughout the installation of the backdoor.”

According to Jetpack, the problem does not affect AccessPress Themes add-ons downloaded from the official WordPress.org repository, but customers should install the patched versions of the extensions regardless. Themes associated with the company were also left off the list.

Jetpack’s blog post contains a list of AccessPress Themes add-ons that have been compromised. Jetpack claims to have only looked at freely available themes and plug-ins, and that AccessPress Themes customers should contact the company for information on premium add-ons.

This incident does not appear to have been recognised by AccessPress Themes. It last tweeted in March 2021, and it hasn’t posted to Facebook since January 5, which is before Jetpack’s announcement. A request for comment was not immediately returned by the company.