Back

Massive Supply Chain Attack Hits WordPress Plugins with Dormant Backdoors

Severity: High (Score: 69.0)

Sources: Thenextweb, Cybersecuritynews, anchor.host, patchstack.com, Bleepingcomputer

Summary

A significant supply chain attack was uncovered involving the acquisition of the Essential Plugin company, which led to backdoors being inserted into at least 30 WordPress plugins. The malicious code remained dormant for eight months before being activated in early April 2026, allowing unauthorized access to websites using the affected plugins. The attack was first detected on April 6, 2026, when a warning was issued about the Countdown Timer Ultimate plugin. Security audits revealed that the backdoor was hidden in the code and was capable of executing arbitrary functions and downloading malicious files. The WordPress.org Plugins Team has since removed the compromised plugins from their directory, but many users may still have them installed. This incident highlights the risks associated with trusting third-party plugins without ongoing scrutiny of their ownership and code integrity. The plugins affected reportedly had over 400,000 installations combined, impacting a large number of WordPress sites globally. Key Points: • Over 30 WordPress plugins were compromised after being acquired by a malicious actor. • The backdoor remained dormant for eight months before activation, affecting over 400,000 installations. • WordPress.org has removed the affected plugins, but users are advised to check for installations.

Key Entities

  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Essential Plugin (company)
  • Nextend (company)
  • Ethereum (company)
  • Vue.js (company)
  • India (country)
  • analytics.essentialplugin.com (domain)
  • widgetlogic.org (domain)
  • wordpress.org (domain)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • Chrome Web Store (platform)
  • Google Workspace (platform)
  • Microsoft Defender For Endpoint (platform)
  • Microsoft Edge Management Service (platform)
  • PHP (platform)
  • Google Chrome (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed