More than 30 WordPress plugins in the EssentialPlugin package have been compromised with malicious code that allows unauthorized access to websites running them.
A malicious actor planted the backdoor code last year but only recently started pushing it to users via updates, generating spam pages and causing redirects, as per the instructions received from the command-and-control (C2) server.
The compromise affects plugins with hundreds of thousands of active installations and was spotted by Austin Ginder, the founder of managed WordPress hosting provider Anchor Hosting, after receiving a tip about one add-on containing code that allowed third-party access.
Further investigation by Ginder revealed that a backdoor had been present in all plugins within the EssentialPlugin package since August 2025, after the project was acquired in a six-figure deal by a new owner.
EssentialPlugin, established in 2015 as WP Online Support and rebranded in 2021, is a WordPress development firm offering sliders, galleries, marketing tools, WooCommerce extensions, SEO/analytics utilities, and themes.
According to Ginder, the backdoor sat inactive until it was recently activated and silently contacted external infrastructure to fetch a file (‘wp-comments-posts.php’) that injects malware into ‘wp-config.php.’
The downloaded malware is invisible to site owners and uses Ethereum-based C2 address resolution for evasion. Depending on the received instructions, the malware can retrieve “spam links, redirects, and fake pages”.
“The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners,” explained Ginder.
Analysis from WordPress security platform PatchStack shows that the backdoor worked only if the ‘analytics.essentialplugin.com’ endpoint returned with a malicious serialized content.
WordPress action and infection status
WordPress.org responded quickly to the reports of the malicious activity by closing the plugins and pushing a forced update to websites to neutralize the backdoor’s communication and disable its execution path.
However, the developers warned that the action did not clean the wp-config core configuration file, which connects websites to their databases and includes important settings.
The WordPress.org Plugins Team also cautioned administrators with websites running an EssentialPlugin product that while one known location for the backdoor is a file named wp-comments-posts.php, which resembles the legitimate wp-comments-post.php, the malware may also hide in other files.
has contacted EssentialPlugins for a comment on the reported malicious commit that occurred after the acquisition, but we have not received a response by publishing time.
.article-callout {
background-color: #f0f6ff;
width: 95%;
max-width: 800px;
margin: 15px auto;
border-radius: 8px;
border: 1px solid #d6ddee;
display: flex;
align-items: stretch;
overflow: hidden;
}
.article-media {
flex: 1;
max-width: 220px;
display: flex;
}
.article-media a {
display: flex;
width: 100%;
height: 100%;
}
.article-media img {
width: 100%;
height: 100%;
border-radius: 8px 0 0 8px;
display: block;
}
.article-callout .article-media img {
margin-top: 0 !important;
height: 100% !important;
}
.article-body {
flex: 2;
padding: 10px;
display: flex;
flex-direction: column;
justify-content: center;
}
.article-body h2 {
font-size: 17px !important;
font-weight: 700;
color: #333;
line-height: 1.4;
font-family: Georgia, “Times New Roman”, Times, serif;
margin: 0 0 14px 0;
}
.article-body p {
font-weight: bold;
font-size: 14px;
margin: 0 0 clamp(6px, 2vw, 14px) 0;
}
.article-link {
background-color: #fff;
border: 1px solid #3b59aa;
color: black;
text-align: center;
text-decoration: none;
border-radius: 8px;
display: inline-block;
font-size: 16px;
font-weight: bold;
padding: 10px 20px;
width: fit-content;
}
@media (max-width: 600px) {
.article-callout {
flex-direction: column;
align-items: center;
}
.article-media {
max-width: 100%;
}
.article-media img {
border-radius: 8px 8px 0 0;
}
.article-body {
padding: 15px;
width: 100%;
}
.article-link {
width: 100%;
margin: 0 auto;
box-sizing: border-box;
}
}
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Comments