- Malicious actor purchased 31 WordPress plugins from Essential Plugin
- Updates injected backdoors, granting full access to the site
- Spam campaigns hidden from owners, C2 resolved via Ethereum smart contract
A hacker purchased over 30 legitimate WordPress plugins and abused their reputation to infect tens of thousands of websites with backdoors.
Austin Ginder, founder of Anchor Hosting, reported how a customer recently alerted him to a known plugin suddenly allowing unauthorized third-party access. The investigation led him to a somewhat disturbing discovery: a company that developed 31 WordPress plugins, in free and premium versions, was sold in early 2025, to a person calling themselves “Kris”.
This person then added malicious code to all the plugins and pushed the update to WordPress websites that were actively using them.
Article continues below
Sophisticated code injection
The malicious company is called Essential Plugin and claims that its products were installed more than 400,000 times and were actively used by more than 15,000 customers. The official WordPress repository shows over 20,000 active WordPress installations.
The malware was essentially a backdoor that granted the attacker full access to websites. The goal appears to have been to propagate existing spam campaigns:
“The injected code was sophisticated,” Ginder explained. “He fetched spam links, redirects, and fake pages from a command-and-control server. He only showed the spam to Googlebot, making it invisible to site owners. And here’s the crazy part. He resolved his C2 domain via an Ethereum smart contract, querying RPC endpoints from the public blockchain. Traditional domain deletions wouldn’t work because the attacker could update the smart contract to point to a new domain at any time.”
The full list of compromised plugins can be found at this link. If you use one of these products, it would be wise to replace it with a safer alternative. Ginder also shared a fix method on her blog.
In the meantime, WordPress has removed all malicious plugins from the repository.
Via TechCrunch
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
