An attacker purchased the entire Essential Plugin portfolio - 30+ WordPress…
An attacker purchased the entire Essential Plugin portfolio - 30+ WordPress plugins with ~400k installs - on Flippa.
➡️ First code commit introduced a PHP deserialization backdoor ➡️ Dormant for 8 months ➡️ Activated in April 2026, injecting cloaked SEO spam across thousands of sites. ➡️ WordPress shut down all 31 plugins in a single day
Find out more: https://bit.ly/4u9pJb9
Attacker Bought 30 WordPress Plugins on Flippa and Backdoored All of Them
An attacker purchased 30+ WordPress plugins on Flippa for six figures, planted a PHP deserialization backdoor in the first commit, and waited eight months before activating it across 400,000 installations. The attack used Ethereum smart contracts to resolve C2. WordPress.org has no mechanism for reviewing plugin ownership transfers, a gap that npm and PyPI addressed years ago.
bit.ly
Comments (0)