Dozens of WordPress plug-ins removed after backdoor discovered

2026-04-15 · Source: Dataconomy · Field: Technology & Digital — Software Development & Engineering, Cybersecurity & Data Privacy · Depth: Novice, quick

Summary

Dozens of WordPress plug-ins were removed from the directory following the discovery of a backdoor that delivered malicious code to users, an issue that arose after the corporate acquisition of plug-in maker Essential Plugin. The backdoor, added to the plug-ins' source code soon after last year's acquisition, remained inactive until recently, distributing malicious code to over 20,000 active WordPress installations. This incident highlights significant supply chain attack risks, especially given that WordPress users lack notifications regarding changes in plug-in ownership. Security researchers are concerned about malicious actors acquiring software to alter its code for widespread compromise. WordPress site owners are urged to verify and remove any remaining malicious plug-ins, which have been permanently closed.

Key takeaway

A supply chain attack via acquisition introduced a backdoor into dozens of WordPress plug-ins, delivering malicious code to over 20,000 active installations. These plug-ins, from Essential Plugin, have been permanently removed from the WordPress directory. Site owners must immediately verify and remove any remaining affected plug-ins to prevent compromise, underscoring the critical risk of unnotified plug-in ownership changes.

Topics

• WordPress Plug-ins
• Backdoor Discovery
• Supply Chain Attack
• Essential Plugin Acquisition
• Website Security

Best for: CTO, VP of Engineering/Data, Software Engineer, IT Professional, Security Engineer

Related on AIssential

• GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK — Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.
• Clarafy — Product Hunt's website, operating under the name Clarafy, employs a security verification process to safeguard against malicious bot activity.
• scan-for-secrets 0.1.1 — Version 0.1.1 of the "scan-for-secrets" tool was released on April 5th, 2026, designed to identify secrets within files intended for sharing.
• Kaspersky suspects Chinese hackers planted a backdoor into Daemon Tools in ‘widespread’ attack — A widespread supply chain attack compromised Daemon Tools, enabling targeted malware delivery to thousands of Windows systems.
• How a Poisoned Security Scanner Became the Key to Backdooring LiteLLM — Compromised CI/CD tools can enable supply chain attacks by exfiltrating publisher credentials to inject malicious code into legitimate packages.
• Vercel breach exposes the OAuth gap most security teams cannot detect, scope or contain — Unmonitored OAuth grants to third-party AI tools create critical, undetectable supply chain attack vectors.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Dataconomy.