WordPress Plugin Suite Compromised in Supply-Chain Attack

A malicious actor purchased a suite of WordPress plugins on the Flippa marketplace and inserted backdoor code to compromise thousands of websites [1, 2].

This incident highlights a critical vulnerability in the software supply chain, where the transfer of ownership of popular tools can lead to mass infections of unsuspecting users.

More than 30 WordPress plugins were compromised with malicious code ^[1]. These tools were part of the "EssentialPlugin" suite, which was distributed through the WordPress plugin ecosystem after the attacker acquired the assets [2, 4].

According to reports, the backdoor code was planted in late 2025 [1, 2]. The malicious code remained dormant for eight months [2, 3] before the attacker activated it in April 2026 [3, 5]. This delay likely allowed the compromised versions to be widely adopted before the threat became apparent.

Once activated, the backdoor delivered payloads including SEO-spam, and unauthorized redirects [1, 3]. The attacker specifically targeted Googlebot with cloaked SEO spam to manipulate search rankings and generate ad revenue [1, 2]. The breach also granted the attacker persistent unauthorized access to the affected sites [1, 3].

"More than 30 WordPress plugins have been compromised with malicious code that allows unauthorized access to websites running them," BleepingComputer editorial staff said ^[1].

The scale of the impact is significant, with hundreds of thousands of active installations affected ^[3]. A TechRepublic senior writer said, "This supply-chain attack turned a popular plugin suite into a massive malware distribution platform, affecting thousands of WordPress sites" ^[3].

"The backdoor lay dormant for eight months before being activated to serve cloaked SEO spam only to Googlebot," The Next Web reporter said ^[2].