Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
WordPress Plugins Compromised by Hidden Malware Backdoor

WordPress Plugins Compromised by Hidden Malware Backdoor

Posted on April 15, 2026 By CWS

Hidden Malware Discovered in WordPress Plugins

A hidden backdoor within several well-regarded WordPress plugins went undetected for eight months, compromising numerous sites before detection. This incident underscores a significant supply chain vulnerability in the WordPress ecosystem.

Discovery of the Backdoor

In April 2026, security analysts uncovered a backdoor embedded in WordPress plugins following a routine client inquiry. Initial investigations revealed that the breach began with the discreet acquisition of a legitimate plugin company by an anonymous buyer.

The company, known as “Essential Plugin,” was originally established by WP Online Support in India. They developed over 30 plugins, including tools like countdown timers and image sliders. Due to declining revenue, the business was sold on Flippa in 2024 to a buyer named “Kris.”

How the Attack Unfolded

Security issues emerged when the WordPress.org Plugins Team flagged the Countdown Timer Ultimate plugin for unauthorized access capabilities. A comprehensive audit found the malware was deeply embedded in the wp-config.php file, not within the plugin itself. This malware generated hidden spam links and redirects, invisible to site administrators but detectable by Googlebot.

The situation escalated on April 7, 2026, when WordPress.org shut down all 31 plugins from Essential Plugin, impacting countless installations. Despite a forced auto-update, the wp-config.php file remained compromised, continuing to serve spam.

Lessons from the Breach

This event is reminiscent of a 2017 breach involving the Display Widgets plugin, where a similar tactic was used to distribute malicious code. Both incidents involved acquiring a trusted plugin, gaining commit access, and injecting harmful code.

The initial malicious commit in August 2025 introduced a PHP deserialization backdoor, which remained dormant until activated in April 2026. The attackers utilized an Ethereum smart contract to manage the malware’s command-and-control domain, complicating takedown efforts.

Recommendations for Site Administrators

Site administrators are advised to promptly inspect and remove any compromised plugins from their installations. It is crucial to manually review the wp-config.php file for any unauthorized code injections. A file size anomaly could indicate a deeper infection requiring thorough remediation.

In light of this, WordPress.org is encouraged to implement stringent review processes for plugin ownership transfers to avert similar security breaches in the future.

Stay informed on the latest updates by following us on Google News, LinkedIn, and X. Set CSN as your preferred source in Google for more insights.

Cyber Security News Tags:Backdoor, Cryptocurrency, cyber attack, Cybersecurity, Malware, online marketing, plugin ownership, plugin vulnerability, PlugIns, security audit, SEO, supply chain attack, website maintenance, website security, WordPress

Post navigation

Previous Post: Hackers Exploit Google Cloud to Deliver Remcos RAT
Next Post: AI-Driven Threat Exploits Google Discover to Spread Malware

Related Posts

Hackers Launch Widespread Attacks on Palo Alto GlobalProtect Portals from 7,000+ IPs Hackers Launch Widespread Attacks on Palo Alto GlobalProtect Portals from 7,000+ IPs Cyber Security News
LegalPwn Attack Exploits Gemini, ChatGPT and other AI Tools into Executing Malware LegalPwn Attack Exploits Gemini, ChatGPT and other AI Tools into Executing Malware Cyber Security News
Hackers Exploiting GeoServer RCE Vulnerability to Deploy CoinMiner Hackers Exploiting GeoServer RCE Vulnerability to Deploy CoinMiner Cyber Security News
Qilin Ransomware Disables EDR Systems with Malicious DLL Qilin Ransomware Disables EDR Systems with Malicious DLL Cyber Security News
Ubiquiti UniFi Flaws Risk Total System Compromise Ubiquiti UniFi Flaws Risk Total System Compromise Cyber Security News
Google Urgently Updates Chrome to Fix Exploited Flaws Google Urgently Updates Chrome to Fix Exploited Flaws Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical Windows RDP Vulnerabilities Addressed by Microsoft
  • Cursor Flaw Risks Code Execution Vulnerability
  • New Windows Vulnerability PoC Released Post Patch Update
  • Dell Patches Critical PowerProtect Flaws Allowing Remote Access
  • Windows Bind Link Exploits Bypass EDR Detection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical Windows RDP Vulnerabilities Addressed by Microsoft
  • Cursor Flaw Risks Code Execution Vulnerability
  • New Windows Vulnerability PoC Released Post Patch Update
  • Dell Patches Critical PowerProtect Flaws Allowing Remote Access
  • Windows Bind Link Exploits Bypass EDR Detection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark