Over 30 plugins within the EssentialPlugin suite have been infiltrated with malevolent code, facilitating unauthorized access to websites utilizing these components.
Last year, a nefarious entity embedded this backdoor code, but it has only recently commenced distribution through updates, leading to the creation of spam pages and inadvertent redirections, as directed by the command-and-control (C2) server.
This breach affects numerous plugins with a substantial user base, numbering in the hundreds of thousands. Austin Ginder, founder of Anchor Hosting—a managed WordPress hosting provider—uncovered the issue after receiving a notification regarding an add-on that contained questionable code permitting third-party access.
Upon further examination, Ginder discovered that the backdoor had remained hidden within all plugins in the EssentialPlugin collection since August 2025, following its acquisition in a lucrative deal by a new proprietor.
EssentialPlugin, originally founded in 2015 as WP Online Support and later rebranded in 2021, specializes in WordPress development, providing tools for sliders, galleries, marketing, WooCommerce extensions, SEO utilities, and themes.
According to Ginder, the backdoor had lain dormant until its recent activation, which allowed it to silently connect with external infrastructure to download a file, ‘wp-comments-posts.php’. This file subsequently infects ‘wp-config.php’ with malware.
This malware remains concealed from website owners, employing Ethereum-based C2 address resolution to elude detection. Depending on the commands received, it can retrieve various “spam links, redirects, and fabricated pages”.
“The sophistication of the injected code was remarkable. It fetched spam links, redirects, and fake pages from a command-and-control server, only displaying the spam to Googlebot, thus rendering it invisible to site administrators,” Ginder commented.
Analysis from the WordPress security platform PatchStack indicates that the backdoor was only activated when the ‘analytics.essentialplugin.com’ endpoint delivered malicious serialized content.
WordPress Response and Infection Assessment
In light of these alarming reports, WordPress.org acted swiftly, deactivating the compromised plugins and enforcing an update across all affected sites to halt the backdoor’s communication and disable its operational pathway.
Nevertheless, developers have cautioned users that this measure does not cleanse the wp-config core configuration file, which is critical for connecting sites to their databases and encompasses vital settings.
The WordPress.org Plugins Team further alerted administrators utilizing EssentialPlugin products that, while one identified location for the backdoor is a file named wp-comments-posts.php—which closely resembles the legitimate wp-comments-post.php—The malware could also be camouflaged within other files.
BleepingComputer has reached out to EssentialPlugins for a statement regarding the reported malicious commit post-acquisition, but has yet to receive a response prior to publication.
Source link: Bleepingcomputer.com.
