Dozens of WordPress plug-ins have been taken offline after a hidden backdoor was discovered inside them, raising serious concerns about a large-scale supply chain attack.
The issue came to light after a new company acquired the plug-ins and quietly introduced malicious code into its software.
The warning was first shared by Anchor Hosting founder Austin Ginder, who explained in a recent blog post that the affected plug-ins were developed by a company called Essential Plugin. According to Ginder, the plug-ins were purchased last year, and not long after, the backdoor was inserted into their source code. It remained inactive for months before suddenly activating earlier this month, allowing harmful code to be pushed to websites using the compromised plug-ins.
Essential Plugin claims its products have more than 400,000 installs and over 15,000 customers, while WordPress data shows the affected plug-ins were active on more than 20,000 websites. Since plug-ins often require deep access to a website’s system to function, they can also become a major security risk if compromised.
Ginder pointed out that WordPress does not notify users when a plug-in changes ownership, which can leave site owners unaware of potential risks. This creates an opportunity for attackers to take control of trusted software and use it to spread malicious code.
He also noted that this is the second time in recent weeks that a WordPress plug-in has been hijacked similarly. Security experts have long warned that buying existing software and modifying it is an effective way for attackers to target a large number of systems at once.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The affected plug-ins have now been removed from the WordPress directory and are marked as permanently closed. However, users are being urged to check their sites and uninstall any of the compromised plug-ins if they are still present. Essential Plugin has not responded to requests for comment.
