Dozens of WordPress plugins have been pulled from the official directory after security researchers uncovered a malicious supply chain attack. An unidentified actor acquired the developer “Essential Plugin” and injected backdoors into their software, allowing the silent distribution of malicious code to over 20,000 active websites.
The Anatomy of a Supply Chain Attack
The breach was brought to light by Austin Ginder, founder of Anchor Hosting, who detailed the incident in a technical breakdown. According to Ginder, the malicious entity purchased the Essential Plugin suite last year. Shortly after the acquisition, they introduced a backdoor into the source code.
The code remained dormant for months, avoiding detection until it was activated earlier this month to begin injecting malicious scripts into websites running the affected plugins.
Scale of the Impact
While Essential Plugin claims a massive user base of over 15,000 customers and 400,000 total installs, the active damage is significant. Data from the WordPress plugin directory confirms that the compromised tools were present in more than 20,000 active installations at the time of discovery.
This incident highlights a critical vulnerability in the WordPress ecosystem: users are rarely notified when a plugin changes ownership, leaving them susceptible to “takeover attacks” from new, potentially malicious developers.
Urgent Security Steps for Administrators
Security experts have long warned about the risks of attackers acquiring legitimate software to weaponize it. This marks the second instance of a WordPress plugin hijack discovered in less than two weeks.
Although the malicious plugins have been permanently removed from the WordPress repository, the threat remains for any site where they are still installed. Website administrators are urged to audit their installations immediately. A comprehensive list of the compromised plugins can be found in Ginder’s original disclosure.
Representatives for Essential Plugin did not respond to requests for comment regarding the security compromise.