Dozens of plug-ins for WordPress have been taken offline after a backdoor was discovered that allowed malicious code to be distributed to thousands of affected websites.
Plugins Infected With Backdoors
The issue came to light after Austin Ginder reported a supply chain attack involving a plug-in developer known as Essential Plugin. According to Ginder, the company was acquired last year, after which a backdoor was inserted into the plug-ins’ source code.
The backdoor remained inactive for months before being triggered earlier this month. Once activated, it began pushing malicious code to websites that had the affected plug-ins installed.
Scale of the Impact
Essential Plugin claims its products have more than 400,000 installs and over 15,000 customers. However, data from WordPress indicates that the affected plug-ins were active on more than 20,000 websites at the time of the incident.
Plug-ins are widely used to extend the functionality of WordPress sites, but they also require deep access to system files. This level of access can create security risks if compromised.
Lack of Ownership Transparency
Ginder highlighted that WordPress users are not notified when a plug-in changes ownership. This gap can expose users to risks if a malicious party acquires a trusted plug-in and modifies its code.
He noted that this is the second known case of a WordPress plug-in takeover in recent weeks. Security researchers have previously warned about attackers purchasing software projects to distribute harmful code at scale.
Response and Recommendations
The affected plug-ins have been removed from the WordPress directory and are now listed as permanently closed.
Ginder advised website owners to review their installations and remove any affected plug-ins immediately. A list of compromised plug-ins has been published in his blog post.
Representatives for Essential Plugin did not respond to requests for comment.
