Backdoor in popular WordPress plug-ins
Following the discovery of a backdoor in three popular plug-ins, the developers of WordPress reset the passwords for WordPress.org and blocked access to all extension repositories while they "looked for anything else unsavory". It is still unclear how the backdoors got into the AddThis, WPtouch and W3 Total Cache plug-ins.
The Wordpress developers have determined that developers did not create the backdoors themselves; currently, it is assumed that attackers got hold of their account access data and manipulated the code in the repository. The operators of WordPress.org did not, however, say how the unidentified parties could have got hold of this access data, explaining merely that the case is still being investigated and that passwords have been reset to be on the safe side, including for the web sites bbPress.org and BuddyPress.org.
The backdoors in the plug-ins are reported to be very well camouflaged. The WordPress developers have put the old versions without a backdoor back into the repositories. Anyone who uses these plug-ins and has updated over the past few days, should revisit the update web site and install the version currently offered. That should remove potential backdoors – unless attackers have already entered the system and set up additional access channels.
(djwm)