More than 30 WordPress plugins in the EssentialPlugin package were found to contain a backdoor that allows unauthorized access to sites using them. The dormant backdoor, introduced after the project’s August 2025 acquisition, was recently activated to fetch wp-comments-posts.php which injects invisible malware into wp-config.php and delivers spam pages and redirects via an Ethereum-based C2. #EssentialPlugin #AnchorHosting
Keypoints
- Over 30 plugins in the EssentialPlugin package were compromised with backdoor code.
- The backdoor was planted after the project was acquired in August 2025 and remained inactive until recently.
- Activated code fetched wp-comments-posts.php to inject malware into wp-config.php and contacted an Ethereum-based C2.
- Malicious content was served selectively (only to Googlebot), showing spam pages, redirects, and fake pages while remaining invisible to owners.
- WordPress.org disabled the plugins and pushed a forced update, but administrators were warned that wp-config.php and other files may still be infected.