30 WordPress Plugins Turned Into Malware After Ownership Change (bleepingcomputer.com) 18
Wednesday BleepingComputer reported that more than 30 WordPress plugins "have been compromised with malicious code that allows unauthorized access to websites running them."
A malicious actor planted the backdoor code last year but only recently started pushing it to users via updates, generating spam pages and causing redirects, as per the instructions received from the command-and-control (C2) server. The compromise affects plugins with hundreds of thousands of active installations and was spotted by Austin Ginder, the founder of managed WordPress hosting provider Anchor Hosting, after receiving a tip about one add-on containing code that allowed third-party access.
Further investigation by Ginder revealed that a backdoor had been present in all plugins within the EssentialPlugin package since August 2025, after the project was acquired in a six-figure deal by a new owner.... "The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners," explained Ginder.
"WordPress.org's v2.6.9.1 update neutralized the phone-home mechanism in the plugin," Ginder writes in a blog post. "But it did not touch wp-config.php. The SEO spam injection was still actively serving hidden content to Googlebot.
"And here is the wildest part. It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time." This has happened before. In 2017, a buyer using the alias "Daley Tias" purchased the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam. That buyer went on to compromise at least 9 plugins the same way.... The WordPress plugin marketplace has a trust problem... The Flippa listing for Essential Plugin was public. The buyer's background in SEO and gambling marketing was public. And yet the acquisition sailed through without any review from WordPress.org.
WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no "change of control" notification to users. No additional code review triggered by a new committer. The Plugins Team responded quickly once the attack was discovered. But 8 months passed between the backdoor being planted and being caught.
Thanks to Slashdot reader axettone for sharing the news.
Further investigation by Ginder revealed that a backdoor had been present in all plugins within the EssentialPlugin package since August 2025, after the project was acquired in a six-figure deal by a new owner.... "The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners," explained Ginder.
"WordPress.org's v2.6.9.1 update neutralized the phone-home mechanism in the plugin," Ginder writes in a blog post. "But it did not touch wp-config.php. The SEO spam injection was still actively serving hidden content to Googlebot.
"And here is the wildest part. It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time." This has happened before. In 2017, a buyer using the alias "Daley Tias" purchased the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam. That buyer went on to compromise at least 9 plugins the same way.... The WordPress plugin marketplace has a trust problem... The Flippa listing for Essential Plugin was public. The buyer's background in SEO and gambling marketing was public. And yet the acquisition sailed through without any review from WordPress.org.
WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no "change of control" notification to users. No additional code review triggered by a new committer. The Plugins Team responded quickly once the attack was discovered. But 8 months passed between the backdoor being planted and being caught.
Thanks to Slashdot reader axettone for sharing the news.
Friends don't let friends (Score:4, Insightful)
use WordPress
Re:Friends don't let friends (Score:5, Informative)
Over the past several years, core Wordpress has actually had fewer significant security bugs than Drupal.
The problem is that: Wordpress' plugins ecosystem, on the other hand, is basically still the Wild West.
Re: (Score:2)
Because they already have it.
Probably a tiny faction... (Score:1)
...of the ones that are compromised by accident.
Why didn't AI catch this? (Score:2)
Also any system that auto-updates from random parts of the world will always be vulnerable to this. Distributed is great until it isn't because you have to trust every part of the system - which is not possible.
Re: (Score:2)
Maybe the AI added it?
But yes, it's not possible to run a high-trust computing environment in a low-trust society. I still find it amusing that we were told we're not allowed to connect to the office from Linux machines because Security, yet we now use the "secure" Windows laptops to connect to the office and run software on Linux VMs which download all kinds of random dependencies from all over the Internet because "you can trust us, bro."
Since AI bots are technically able and completely immoral I think we
Re: (Score:2)
AI would have caught it if it was told it was there or at least to go look exactly there for it! Oh, wait...
OMG 0.000000001% of WP ... (Score:3)
... instalbase compromised! We're all gonna die!
Re: (Score:2)
To be fair, 0.000000001% of their installed base comes out to 8 trillion web sites.
Why Auto-update is a trap. (Score:4, Insightful)
This is why updates should go through:
A) Sandbox testing
B) Wait and See
Updates can and do *make things worse*
It depends. (Score:3)
Why Auto-update is a trap.
If you have WP plugins from teams you can rely on that have a professional software pipeline serving the updates, then auto-update really isn't a problem. The key point here being of course "professional software pipeline". The broader WP community and it's huge 3rd-party market is a crazy bunch delivering the most ghetto-type sh*t in code under the sun. Quite a few of these guys shouldn't be let near a keyboard, that's for sure.
Likewise, if you've bloated your WP setup with 15+ pl
uh.. (Score:1)
"Turned Into" (Score:3)
I like the hidden implication that somehow these plugins didn't start as malware.