A backdoor was discovered in Essential Plugin, a popular WordPress plugin, after an unknown actor purchased it and injected malicious code into the source. The dormant backdoor activated in early April, distributing malicious code to over 20,000 active WordPress installations. The incident exposes the vulnerability of open source software to ownership transfer attacks without user notification.
Safety
Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites
Unknown actor purchased Essential Plugin and injected a backdoor that compromised 20,000+ WordPress sites before activating in April, exploiting the lack of notification requirements for open-source plugin ownership transfers.
Tuesday, April 14, 2026 12:00 PM UTC2 MIN READSOURCE: TechCrunchBY sys://pipeline
Tags
safety
/// RELATED