30 WordPress Plugins Turned Into Malware After Ownership Change (bleepingcomputer.com)
(Saturday April 18, 2026 @05:34PM (EditorDavid)
from the supply-chain-attacked dept.)
- Reference: 0181744562
- News link: https://it.slashdot.org/story/26/04/18/0552210/30-wordpress-plugins-turned-into-malware-after-ownership-change
- Source link: https://www.bleepingcomputer.com/news/security/wordpress-plugin-suite-hacked-to-push-malware-to-thousands-of-sites/
Wednesday BleepingComputer reported that more than 30 WordPress plugins " [1]have been compromised with malicious code that allows unauthorized access to websites running them."
> A malicious actor planted the backdoor code last year but only recently started pushing it to users via updates, generating spam pages and causing redirects, as per the instructions received from the command-and-control (C2) server. The compromise affects plugins with hundreds of thousands of active installations and [2]was spotted by Austin Ginder , the founder of managed WordPress hosting provider Anchor Hosting, after receiving a tip about one add-on containing code that allowed third-party access.
>
> Further investigation by Ginder revealed that a backdoor had been present in all plugins within the EssentialPlugin package since August 2025, after the project was acquired in a six-figure deal by a new owner.... "The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners," explained Ginder.
"WordPress.org's v2.6.9.1 update neutralized the phone-home mechanism in the plugin," Ginder [3]writes in a blog post . "But it did not touch wp-config.php. The SEO spam injection was still actively serving hidden content to Googlebot.
"And here is the wildest part. It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time."
> This has happened before. In 2017, a buyer using the alias "Daley Tias" purchased the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam. That buyer went on to compromise at least 9 plugins the same way.... The WordPress plugin marketplace has a trust problem... The Flippa listing for Essential Plugin was public. The buyer's background in SEO and gambling marketing was public. And yet the acquisition sailed through without any review from WordPress.org.
>
> WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no "change of control" notification to users. No additional code review triggered by a new committer. The Plugins Team responded quickly once the attack was discovered. But 8 months passed between the backdoor being planted and being caught.
Thanks to Slashdot reader [4]axettone for sharing the news.
[1] https://www.bleepingcomputer.com/news/security/wordpress-plugin-suite-hacked-to-push-malware-to-thousands-of-sites/
[2] https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
[3] https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
[4] https://slashdot.org/~axettone
> A malicious actor planted the backdoor code last year but only recently started pushing it to users via updates, generating spam pages and causing redirects, as per the instructions received from the command-and-control (C2) server. The compromise affects plugins with hundreds of thousands of active installations and [2]was spotted by Austin Ginder , the founder of managed WordPress hosting provider Anchor Hosting, after receiving a tip about one add-on containing code that allowed third-party access.
>
> Further investigation by Ginder revealed that a backdoor had been present in all plugins within the EssentialPlugin package since August 2025, after the project was acquired in a six-figure deal by a new owner.... "The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners," explained Ginder.
"WordPress.org's v2.6.9.1 update neutralized the phone-home mechanism in the plugin," Ginder [3]writes in a blog post . "But it did not touch wp-config.php. The SEO spam injection was still actively serving hidden content to Googlebot.
"And here is the wildest part. It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time."
> This has happened before. In 2017, a buyer using the alias "Daley Tias" purchased the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam. That buyer went on to compromise at least 9 plugins the same way.... The WordPress plugin marketplace has a trust problem... The Flippa listing for Essential Plugin was public. The buyer's background in SEO and gambling marketing was public. And yet the acquisition sailed through without any review from WordPress.org.
>
> WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no "change of control" notification to users. No additional code review triggered by a new committer. The Plugins Team responded quickly once the attack was discovered. But 8 months passed between the backdoor being planted and being caught.
Thanks to Slashdot reader [4]axettone for sharing the news.
[1] https://www.bleepingcomputer.com/news/security/wordpress-plugin-suite-hacked-to-push-malware-to-thousands-of-sites/
[2] https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
[3] https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
[4] https://slashdot.org/~axettone
Probably a tiny faction... (Score:1)
by Narcocide ( 102829 )
...of the ones that are compromised by accident.
Why didn't AI catch this? (Score:2)
by Fly Swatter ( 30498 )
Seriously, this is exactly what AI puppets claim it is perfectly situated to catch.
Also any system that auto-updates from random parts of the world will always be vulnerable to this. Distributed is great until it isn't because you have to trust every part of the system - which is not possible.
Re: (Score:2)
by 0123456 ( 636235 )
Maybe the AI added it?
But yes, it's not possible to run a high-trust computing environment in a low-trust society. I still find it amusing that we were told we're not allowed to connect to the office from Linux machines because Security, yet we now use the "secure" Windows laptops to connect to the office and run software on Linux VMs which download all kinds of random dependencies from all over the Internet because "you can trust us, bro."
Since AI bots are technically able and completely immoral I think we
Friends don't let friends (Score:2, Insightful)
use WordPress
Re:Friends don't let friends (Score:5, Informative)
Over the past several years, core Wordpress has actually had fewer significant security bugs than Drupal.
The problem is that: Wordpress' plugins ecosystem, on the other hand, is basically still the Wild West.