A hot potato: WordPress plugins can significantly expand the native capabilities of the popular content management system, but they can also become a double edged sword. When malicious code finds its way into a widely used plugin ecosystem, the consequences can run amok fast and in unpredictable ways.
A popular brand of WordPress plugins was recently weaponized to download and spread malicious code. The new, potentially massive supply chain attack was unveiled by Austin Ginder, a WordPress developer and founder of the WP hosting service Anchor. The entrepreneur found that the threat was already affecting some Anchor customers, abusing a clever trick to keep C2 communications safe from easy takedown attempts.
Ginder's investigation began when an Anchor customer received an alert from the WordPress.org plugin team. The alert warned that a plugin named Countdown Timer Ultimate (CTU) contained potentially malicious code, including a backdoor that could be abused by a third party to gain unauthorized access to a WordPress website.
The plugin was part of a larger series developed by "Essential Plugin," an Indian brand that was recently acquired by an unknown party operating in the crypto and gambling business.
The CTU plugin was part of a larger plugin series developed by Essential Plugin (EP), an India based brand that was recently acquired by an unknown party operating in the crypto and gambling business. Soon after purchasing the roughly 30 plugins created by EP, the new owner added a backdoor to the codebases in their very first SVN commit.
The new owner added a backdoor to the codebases in their very first SVN commit.
The backdoor has been tracked and was added eight months ago, but it only received its first malware injection on April 6, 2026. The injected code contained some sophisticated payloads within a large block of PHP hidden inside wp-config.php, one of the central configuration files in a WordPress installation. The malware was designed to fetch spam links, trigger URL redirects, and generate fake pages.
The code responsible for checking for new instructions from the criminals' command and control server hid the server's domain inside an Ethereum smart contract. The attacker could update the smart contract with a new C2 domain at any time, making domain takedown attempts largely impractical.
After being warned about the issue, the WordPress.org plugin team removed all 30 or so plugins developed under the original EP brand. Ginder has provided a list of the plugins confirmed to be affected by the backdoor code, allowing WP admins to check whether their websites may now be at risk.
Ginder warns that this is the second instance of a malicious party taking over popular WordPress plugins to pursue malicious goals. The first case occurred in 2017 and affected a single plugin installed on 200,000 websites. The EP case operates at a much larger scale, with hundreds of thousands of potentially vulnerable WP sites.
The WordPress plugin marketplace is notorious for its ongoing security and trust issues. Right now, the WP team has no reliable system to flag plugins that have changed hands without site owners knowing. Things are unlikely to improve anytime soon before WordPress and WP Engine resolve their legal issues.