Essentially a supply chain attack

  • peakperformancedigital

    (@peakperformancedigital)


    5 months, 1 week ago

    This is not Advanced Custom Fields, this is a “hacked up, bastardized simulacra” of Advanced Custom Fields that WordPress copied and put in ACF’s place. This move from WordPress to replace the legitimate ACF plugin with their version is essentially a Supply Chain Attack, and it should have with even the slightest security conscious website owner or administrator concerned.

Viewing 5 replies - 1 through 5 (of 5 total)

  • How is this an “attack” ?

    • This reply was modified 5 months, 1 week ago by kaushikc.

    How is it not an attack? 2 million plus websites installed a plugin trusted by the community. Everyone that installed this plugin is now running untrusted and unwanted PHP code on their website that is not by the author. This is a supply chain attack. PHP has been essentially been force pushed to corporate websites. The risk factor for using WP in the future given this can happen at any time again is off the charts.

    Yes, however there was no malicious code injection or intent to harm the users for this to be classified as an “attack”.

    Thread Starter peakperformancedigital

    (@peakperformancedigital)

    The very act of replacing trusted code from one vendor with untrusted code from another vendor is malicious.

    Act maybe malicious but the code is not.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this review.