A massive supply chain attack has compromised more than 30 WordPress plugins following a high-priced acquisition of a popular plugin portfolio. The breach, discovered in April 2026, reveals a coordinated effort to plant backdoors in trusted software months before activation.
Security researchers at CaptainCore identified the breach after a client reported a security notice in the WordPress dashboard. The notice, issued by the WordPress.org Plugins Team, warned that the 'Countdown Timer Ultimate' plugin contained code allowing unauthorized third-party access.
Investigation shows the attacker used a technique involving PHP deserialization to gain remote code execution. The malicious code was introduced in version 2.6.7 of the plugin, released on August 8, 2025. The backdoor sat dormant in the software for approximately eight months before being weaponized.
Blockchain-based command and control
The attack utilized a sophisticated command-and-control (C2) mechanism designed to evade traditional security measures. The plugin’s analytics module would 'phone home' to a remote server to download a backdoor file disguised as a legitimate WordPress core file.
Once active, the malware injected code into the wp-config.php file. This injected block fetched spam links and redirects specifically for Googlebot, making the malicious activity invisible to site administrators. To prevent domain takedowns, the attacker resolved the C2 domain through an Ethereum smart contract, querying public blockchain endpoints.
'Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time,' according to findings from the security audit.
The breach follows the sale of the 'Essential Plugin' portfolio on the marketplace Flippa. The original developers, a team known as WP Online Support, listed the business for sale in late 2024 following a revenue decline. An unidentified buyer, referred to as 'Kris,' purchased the 30-plugin portfolio for a six-figure sum in early 2025.
Following the acquisition, the plugin's author headers were changed, and malicious updates were pushed under the new 'essentialplugin' account. While WordPress.org has since force-updated affected plugins to neutralize the phone-home mechanism, researchers found that the initial injection into wp-config.php remained active on some systems.
