Backdoor Discovered in 30 WordPress Plugins After Ownership Change

Severity: High (Score: 69.0)

Sources: anchor.host, pluto.security, News.Ycombinator, Techcrunch

Summary

A significant supply chain attack was identified in WordPress plugins after the acquisition of Essential Plugin. The malicious code, which was dormant for months, activated in early April 2026, allowing unauthorized access to websites using the affected plugins. The backdoor was embedded in at least 30 plugins, impacting over 20,000 active installations. The malicious code was designed to fetch spam links and redirect traffic while remaining hidden from site owners. The WordPress.org Plugins Team responded by permanently removing all affected plugins from their directory. Security experts warn that the incident highlights the risks associated with plugin ownership changes, as users are not notified of such transitions. This incident follows another similar attack reported just a week prior. Essential Plugin, which had over 400,000 installs, is now defunct, and users are advised to check for and remove the compromised plugins. Key Points: • Over 30 WordPress plugins were compromised after a change in ownership. • The backdoor activated in early April 2026, affecting over 20,000 installations. • All affected plugins have been permanently removed from the WordPress directory.

Key Entities

• Supply Chain Attack (attack_type)
• Essential Plugin (company)
• Vue.js (company)
• India (country)
• analytics.essentialplugin.com (domain)
• widgetlogic.org (domain)
• wordpress.org (domain)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1059.004 - Unix Shell (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• Chrome Web Store (platform)
• Google Workspace (platform)
• Microsoft Defender For Endpoint (platform)
• Microsoft Edge Management Service (platform)
• PHP (platform)
• Google Chrome (tool)