Cybersecurity researchers have uncovered a serious supply chain attack involving dozens of popular WordPress plugins. The incident came to light after security experts discovered that plugin code had been secretly modified to include hidden backdoors. These plugins were previously trusted by thousands of website owners and had been downloaded by a large number of WordPress users. The discovery raised concerns about how software ownership changes can introduce unexpected security risks.
According to the investigation, the affected plugins originally belonged to a company known as Essential Plugin. In early 2025, the plugin portfolio was acquired by a new owner who later gained control over more than 30 WordPress plugins. Shortly after the transfer, malicious code was reportedly added to the plugins and distributed through legitimate software updates. Because the updates appeared normal, many website administrators installed them without realizing the danger.
Researchers found that the inserted code functioned as a hidden backdoor, giving attackers unauthorized access to affected websites. Once active, the backdoor could communicate with external infrastructure and receive instructions remotely. This allowed the attackers to maintain control over compromised sites without immediately alerting administrators. The malicious functionality remained hidden for months before being activated.
The investigation revealed that the backdoor was not a simple piece of malware. It was designed to fetch spam content, redirects, and fake web pages from command-and-control infrastructure controlled by the attackers. In many cases, the malicious content was displayed only to search engine crawlers such as Googlebot. As a result, website owners often remained unaware that their sites were being abused for spam campaigns.
One of the most unusual findings involved the attacker’s use of blockchain technology. Researchers reported that the malware relied on an Ethereum smart contract to help locate its command-and-control infrastructure. This approach made the operation more resilient because attackers could update destinations without relying on traditional domains. Such techniques can make disruption efforts more difficult compared to conventional malware campaigns.
Security experts estimate that the affected plugin ecosystem reached tens of thousands of active WordPress installations. Some reports indicate that the compromised products had a significant customer base, including both free and paid users. Because the plugins were already trusted and widely deployed, the attackers were able to distribute malicious code through a legitimate update channel. This is why the incident is being viewed as a major supply chain compromise.
Following the discovery, WordPress removed the affected plugins from its official repository. Researchers also warned website administrators to review their environments for signs of compromise and replace any impacted plugins with safer alternatives. Since the backdoor was delivered through trusted updates, simply relying on plugin reputation was not enough to prevent exposure. Administrators were encouraged to inspect websites for suspicious behavior and unauthorized modifications.
The incident highlights the growing threat of software supply chain attacks in the WordPress ecosystem. Rather than exploiting a traditional software vulnerability, the attackers abused trust in a legitimate product to gain access to websites. Security professionals say the case demonstrates the importance of monitoring plugin ownership changes, reviewing updates carefully, and maintaining strong security practices. As attackers continue to evolve their methods, trusted software can become a target if proper oversight is not maintained.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
