Backdoors discovered in dozens of WordPress plugins affecting thousands
Original: Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites
Why This Matters
Highlights supply chain security risks in WordPress ecosystem used by millions of websites
Dozens of WordPress plugins from Essential Plugin were found to contain backdoors after a corporate buyout last year. The malicious code activated this month, affecting over 20,000 active installations and 400,000 plugin installs across thousands of websites.
Austin Ginder of Anchor Hosting discovered backdoors in WordPress plugins owned by Essential Plugin after someone bought the company last year and inserted malicious code. The dormant backdoor activated this month, distributing malicious code to affected websites. Essential Plugin claims over 400,000 plugin installs and 15,000 customers, with WordPress showing the affected plugins are in over 20,000 active installations. WordPress users are not notified when plugins change ownership, creating security risks. This marks the second WordPress plugin hijack discovered in two weeks. The affected plugins have been permanently removed from WordPress's directory, but users must manually check and remove any remaining installations.