New Owner Injects Backdoor Into Essential Plugin WordPress Extensions, Exposing Thousands

Dozens of WordPress plugins developed by Essential Plugin were taken offline after a backdoor was discovered.

“Dozens of WordPress plug-ins went offline following the discovery of a backdoor that delivered malicious code to users”

Dataconomy

The backdoor was introduced after Essential Plugin was acquired by a new corporate owner last year.

Dataconomy

The malicious code remained dormant until it activated earlier this month.

Essential Plugin claims over 400,000 total installs and more than 15,000 customers.

The affected tools were active on more than 20,000 websites.

The plugins provide access to system settings, creating paths for malicious actions once compromised.

The affected plugins were removed from the WordPress directory and labeled as permanently closed.

The backdoor created access points that attackers could exploit to steal data or take control.

The attack represents one of the largest coordinated supply chain attacks targeting WordPress.

GIGAZINE

This was the second reported case of plugin hijacking in just a few weeks.

The incident highlights a long-standing vulnerability in third-party plugins.

Website administrators were urged to audit their plugin inventories.

Essential Plugin did not publicly respond to requests for comment.

The Essential Plugin suite was acquired by a new owner who slipped in malicious code.

“A recent ownership change introduced a hidden backdoor that activated this month”

mezha.net

The backdoor was planted in the first update by the new owner on August 8, 2025.

It remained dormant for approximately eight months before being exploited in April 2026.

The WordPress.org plugin team deactivated 31 plugins on April 7, 2026.

Ginder warned the ecosystem lacks mechanisms to notify when ownership is transferred.

The incident is likely to accelerate calls for better security practices.