More than 30 WordPress plugins in the EssentialPlugin package were compromised with malicious code that could give unauthorized access to websites, affecting products with hundreds of thousands of active installations, according to a technical analysis from Anchor Hosting.
KEY FACTS
- Scope More than 30 plugins in the package were affected.
- Timeline The backdoor was present since August 2025 and was later activated through updates.
- Behavior The malware could add spam pages, redirects and fake pages.
- Response WordPress.org closed the plugins and pushed a forced update.
The report said the malicious code was planted after the project was acquired in a six-figure deal. It said the backdoor stayed inactive for months before it began contacting external infrastructure to fetch a file named wp-comments-posts.php, which then injected malware into wp-config.php.
According to the report, the malware was hidden from site owners and relied on Ethereum-based command-and-control address resolution for evasion. The injected code could retrieve spam links, redirects and fake pages, and it showed the spam only to Googlebot.
Analysis from PatchStack’s disclosure said the backdoor worked only if the analytics.essentialplugin.com endpoint returned malicious serialized content. WordPress.org warned that the forced update did not clean the wp-config file and said the malware may also be present in other files.
WHY IT MATTERS
The case shows how a supply-chain compromise in widely used plugins can reach many sites at once and remain hidden from owners. Sites running affected products may still need cleanup even after the forced update, especially if wp-config or other files were altered.