Dozens of WordPress plugins have been taken offline after a backdoor was discovered in their source code, potentially exposing thousands of websites to malware.
The breach was identified following the acquisition of Essential Plugin, a developer that manages over 400,000 plugin installs. According to Austin Ginder, founder of Anchor Hosting, the backdoor was planted after the company was purchased last year.
Ginder reported that the malicious code sat dormant within the plugins until early April 202ng, when it activated to distribute malware to active installations. This supply chain attack targeted the plugin's updates, allowing the backdoor to reach any site running the affected software.
Vulnerability in plugin ownership
WordPress plugin data indicates the compromised tools are currently active in more than 20,000 WordPress installations. While plugins are designed to extend site functionality, they require deep access to the website's core files, creating a significant security risk if the developer is compromised.
Ginder warned that WordPress users are rarely notified when a plugin changes corporate ownership. This lack of transparency leaves site administrators unaware that the person managing their site's security and functionality may have changed.
This incident marks the second major hijack of a WordPress plugin discovered within a two-week period. Security researchers have previously flagged the risks of such supply chain attacks, particularly when developers gain broad permissions across user installations.
