RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: essential-plugin (1 article)Clear
threat
2026-04-15

Attacker bought 30+ WordPress plugins on Flippa, planted backdoor in August 2025, activated it 8 months later across hundreds of thousands of sites

One of the most methodical WordPress supply chain attacks ever: a buyer known only as 'Kris' purchased the entire Essential Plugin portfolio (30+ free WordPress plugins) on the Flippa marketplace for six figures. In August 2025, they injected a PHP deserialization backdoor in version 2.6.7, disguised as a compatibility check for WordPress 6.8.2. The malicious code sat dormant for eight months, building trust. On April 5-6, 2026, the attacker activated it - the C2 domain analytics.essentialplugin[.]com began distributing payloads to every site running the compromised plugins. The backdoor injected cloaked SEO spam into wp-config.php, visible only to Googlebot. WordPress.org permanently closed all 31 plugins on April 7 and pushed a forced auto-update - but the cleanup only removed the phone-home code, not the wp-config.php modifications, meaning compromised sites still served spam after the 'fix'. This happened the same week as the Smart Slider 3 supply chain attack we reported April 11 - two different supply chain attacks via the WordPress trusted update channel in one week.

wordpresssupply-chainessential-pluginflippabackdoorseo-spamphp-deserializationdormant-malware
Check
Check if any of your WordPress sites use plugins from the Essential Plugin / WP Online Support author. The full list of 31 affected plugins includes Starter Templates, Starter Templates for Starter Template, Blog Designer, Countdown Timer Ultimate, Starter Templates Manager, and many more.
Affected
WordPress sites running any of the 31 Essential Plugin plugins that were active before April 8, 2026. The backdoor was present since version 2.6.7 (August 2025). Affected plugins include: Starter Templates for starter template themes, Blog Designer for Post and Widget, Countdown Timer Ultimate, Album and Image Gallery Plus Lightbox, Audio Player with Playlist Ultimate, and 26+ others.
Fix
If any affected plugin was active on your site: (1) Check wp-config.php for injected code and clean it manually - the WordPress.org forced update did NOT fix this. (2) Search for and remove wp-comments-posts.php if present. (3) Scan all files for additional payloads. (4) Rotate all admin and database credentials. (5) Check for hidden admin accounts. The WordPress.org forced update to 2.6.9.1 disabled the phone-home mechanism but did not remediate existing compromise. Treat affected sites as fully compromised.