Massive WordPress Supply Chain Attack: 30+ Plugins Sold and Weaponized with Backdoors

The WordPress community is currently reeling from one of the most sophisticated and large-scale supply chain attacks in its history. Security researchers have uncovered a massive operation where an attacker systematically acquired over 30 popular plugins to plant malicious backdoors. The discovery began when Ricky from Improve & Grow noticed a security alert in a client's WordPress dashboard. The warning, issued by the WordPress.org Plugins Team, indicated that the Countdown Timer Ultimate plugin contained code allowing unauthorized third-party access. This was just the tip of the iceberg for a six-figure acquisition scheme designed to weaponize established trust. According to an in-depth investigation by Anchor Host, the attacker—operating under the alias 'Kris'—purchased the entire 'Essential Plugin' portfolio (formerly known as WP Online Support) via the Flippa marketplace. The original team, based in India, had built these plugins since 2015, establishing a massive install base. However, after a reported revenue decline of 35-45% in late 2024, the business was listed for sale. Kris, whose background reportedly includes SEO, cryptocurrency, and online gambling marketing, acquired the business for a six-figure sum in early 2025. This acquisition granted the attacker legitimate commit access to dozens of plugins hosted on the official WordPress.org repository. The technical execution of this attack was masterfully deceptive. On August 8, 2025, shortly after the takeover, the new owner released version 2.6.7 of Countdown Timer Ultimate. The changelog claimed the update was for 'compatibility with WordPress version 6.8.2.' In reality, it added 191 lines of code that introduced a PHP deserialization backdoor. Crucially, this backdoor remained dormant for eight months. By staying inactive, the malicious code avoided detection by automated scanners and manual reviews, allowing it to propagate across hundreds of thousands of active WordPress installations as users performed routine updates. The 'weaponization' phase finally began in April 2026. A module named `wpos-analytics`, embedded within the compromised plugins, initiated contact with a command-and-control (C2) server at `analytics.essentialplugin.com`. This module downloaded a payload named `wp-comments-posts.php`—a name chosen to mimic the core WordPress file `wp-comments-post.php` to evade suspicion. This payload then injected a massive block of PHP code into the site's primary configuration file, `wp-config.php`. This injected code served hidden SEO spam, redirects, and fake pages. To remain invisible to site administrators, the malware used 'cloaking' techniques, only displaying the spam content to Googlebot while showing a clean site to regular visitors. One of the most advanced aspects of this breach was the C2 resolution mechanism. Instead of relying on traditional DNS or hardcoded IP addresses—which can be easily taken down by authorities—the attacker used an Ethereum smart contract. The malware queried public blockchain RPC endpoints to retrieve the current C2 domain from the smart contract. This decentralization meant that even if one domain was seized, the attacker could simply update the smart contract to point to a new domain, making the infrastructure nearly impossible to dismantle through traditional legal or technical means. Forensic analysis conducted by the CaptainCore team utilized binary search methods on daily backups to pinpoint the exact moment of infection. By comparing file sizes of `wp-config.php` across multiple snapshots, they determined that the injection occurred within a 6-hour and 44-minute window on April 6, 2026. While the WordPress.org Plugins Team reacted decisively on April 7 by permanently closing all 31 associated plugins and forcing an auto-update to neutralize the phone-home mechanism, the fix was incomplete. The forced update (v2.6.9.1) disabled the plugin's ability to download new payloads, but it did not clean the already-compromised `wp-config.php` files, meaning many sites remained infected even after the 'fix.' This incident highlights a critical 'trust problem' within the WordPress ecosystem. The vulnerability wasn't a coding error by a well-meaning developer; it was a deliberate, well-funded supply chain infiltration. Currently, WordPress.org has no formal mechanism to flag or review plugin ownership transfers, nor does it notify users when a plugin changes hands. The attacker successfully bought the reputation of an 8-year-old business and used it as a Trojan horse. Experts urge all WordPress administrators to immediately check their plugin lists for any 'Essential Plugin' products, remove them, and manually inspect their `wp-config.php` files for injected code, which typically appears on the same line as the `require_once` statement for `wp-settings.php`.