Backdoored Essential Plugin WordPress Add-ons Compromised Thousands of Sites
A supply-chain attack hit the Essential Plugin WordPress portfolio after the plugin business was reportedly acquired by a new owner who inserted a hidden backdoor into trusted add-ons used by thousands of websites. Researchers said the malicious code was added to Countdown Timer Ultimate version 2.6.7 in August 2025 as a PHP deserialization backdoor, then left dormant for about eight months before activating in early April 2026. Once triggered, affected sites contacted analytics.essentialplugin.com, received additional payloads, and had malicious code written into wp-config.php.
The compromise allowed attackers to serve hidden spam links, fake pages, and redirects to Googlebot while remaining largely invisible to site owners. WordPress.org subsequently closed all 31 Essential Plugin entries in the plugin directory and pushed version 2.6.9.1 to remove the phone-home behavior, but reports warned that the update did not clean already-compromised wp-config.php files. Hosting providers and researchers urged administrators to manually inspect and remove any still-installed malicious plugins and persistence left on their servers, underscoring the risk that plugin ownership changes can turn established WordPress software into a malware distribution channel.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly disclose the WordPress plugin supply-chain attack
By mid-April 2026, reporting and researcher analysis revealed that dozens of Essential Plugin-associated WordPress plugins used on thousands of websites had been backdoored after an ownership change. The disclosure highlighted the broader risk that WordPress users are not automatically notified when plugin ownership changes hands.
WordPress.org pushes cleanup update for affected plugins
WordPress.org released version 2.6.9.1 to remove the plugins' phone-home mechanism, but the update did not remediate malicious changes already written into compromised wp-config.php files. Site owners were warned to manually inspect and clean infected installations.
WordPress.org closes compromised Essential Plugin plugins
On April 7, 2026, WordPress.org shut down all 31 Essential Plugin plugins in the directory and marked them closed following discovery of the compromise. The plugins were removed from distribution to limit further exposure.
Dormant backdoor activates and pushes malicious payloads
On April 5–6, 2026, the hidden backdoor began contacting analytics.essentialplugin.com and delivering malicious code to affected WordPress sites. The malware modified wp-config.php to serve hidden spam links, fake pages, and redirects to Googlebot while staying largely invisible to site owners.
Backdoor inserted into Essential Plugin codebase
The new owner allegedly inserted a PHP deserialization backdoor into Countdown Timer Ultimate version 2.6.7, with the malicious code then remaining dormant for months across the Essential Plugin portfolio.
Attacker acquires Essential Plugin business
A threat actor reportedly purchased the Essential Plugin WordPress plugin business from founder Minesh Shah via Flippa, setting up a supply-chain compromise through a trusted plugin portfolio.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites
techrepublic.com
Open sourceWordPress plugins compromised after acquisition, leading to backdoor installation | brief | SC Media
scworld.com
Open sourceHackers Hide Backdoor in Trusted WordPress Plugins for 8 Months Before Activating Malware
cybersecuritynews.com
Open sourceWordPress plugin suite hacked to push malware to thousands of sites
bleepingcomputer.com
Open sourceSomeone planted backdoors in dozens of WordPress plug-ins used in thousands of websites | TechCrunch
techcrunch.com
Open sourceSomeone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them.
anchor.host
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Compromised Awesome Motive CDN Backdoored WordPress Sites via Popular Plugins
Attackers tampered with JavaScript served from **Awesome Motive** infrastructure for the widely used WordPress plugins **OptinMonster**, **TrustPulse**, and **PushEngage**, triggering a supply-chain compromise that Sansec said exposed more than **1.2 million sites**. The malicious code activated only when a logged-in WordPress administrator visited an affected site, then stole authentication data, exfiltrated site details to the typosquatted domain `tidio.cc`, created rogue administrator accounts, and deployed a stealth plugin designed to hide from normal WordPress administrative views. Researchers said the hidden plugin provided **unauthenticated remote code execution** through a web shell and an `eval`-style endpoint, effectively giving attackers arbitrary PHP execution on compromised servers. Sansec verified malicious code in OptinMonster and TrustPulse CDN files beginning June 12 and said those paths were later cleaned, while some PushEngage CDN edges continued serving infected code until June 14; the exact initial compromise point remains unknown, but the distribution path ran through Awesome Motive-operated domains via BunnyNet CDN. Defenders were urged to treat any affected site with an administrator logged in during the exposure window as fully compromised, remove rogue users, search for hidden plugin directories, and rotate all administrator credentials and secrets.
Jun 16, 2026
Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple **WordPress plugins** were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including **WP Duplicate**, **Ninja Forms File Upload**, **Ultimate Member**, **Product Addons for WooCommerce**, **CleanTalk Spam Protect**, **Ally**, **Perfmatters**, and **Kali Forms**, alongside identifiers such as **`CVE-2024-48930`**, **`CVE-2025-13192`**, and **`CVE-2026-1104`**. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise. Wordfence reports indicate the exposure spans **hundreds of thousands of WordPress sites**, with some bugs already under **active exploitation**. The most serious cases include an unauthenticated SQL injection flaw in the **Ally** plugin affecting roughly **400,000 sites**, an arbitrary file deletion issue in **Perfmatters** affecting about **200,000 sites**, and active attacks targeting a critical flaw in **Kali Forms**. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
May 25, 2026
Backdoored ShapedPlugin Pro Updates Exposed WordPress Sites to Full Takeover
A supply-chain compromise of ShapedPlugin’s premium WordPress plugin distribution inserted backdoor code into official paid releases, allowing unauthenticated attackers to fully compromise affected websites. Wordfence said the attackers tampered with the vendor’s update pipeline used for Pro builds distributed via Easy Digital Downloads, while free versions in the WordPress repository were not affected. Confirmed malicious releases included **Smart Post Show Pro** `4.0.1`, **Product Slider for WooCommerce Pro** `3.5.2`, and **Real Testimonials Pro** `3.2.4`, which were later replaced by clean versions `4.0.2`, `3.5.3`, and `3.2.5`; the incident is tracked as **`CVE-2026-10735`** with a reported **CVSS 9.8**.
Jun 23, 2026