Backdoor in EssentialPlugin WordPress suite leads to infected wp-config.php via malicious updates

Timeline

1. 15.04.2026 23:33 1 articles · 3h ago

   Malicious update in EssentialPlugin suite triggers backdoor-driven malware injection in WordPress sites

   A dormant backdoor planted in EssentialPlugin’s suite of over 30 WordPress plugins—introduced after the project’s acquisition in August 2025—was activated via updates, enabling unauthorized code execution and wp-config.php infection. The malware fetched malicious payloads from a C2 server using Ethereum-based resolution, generating cloaked spam and redirects visible only to crawlers. WordPress.org issued forced updates to disable the backdoor’s execution path and neutralize live C2 communication, but did not clean infected wp-config.php files.

   Show sources

   • WordPress plugin suite hacked to push malware to thousands of sites — www.bleepingcomputer.com — 15.04.2026 23:33

   Open in new tab

Information Snippets

• The backdoor was introduced into the EssentialPlugin suite after the project was acquired in August 2025 for a six-figure sum.

  First reported: 15.04.2026 23:33
  1 source, 1 article
  Show sources

  • WordPress plugin suite hacked to push malware to thousands of sites — www.bleepingcomputer.com — 15.04.2026 23:33

• Over 30 plugins within the EssentialPlugin package were compromised, with hundreds of thousands of active installations affected.

  First reported: 15.04.2026 23:33
  1 source, 1 article
  Show sources

  • WordPress plugin suite hacked to push malware to thousands of sites — www.bleepingcomputer.com — 15.04.2026 23:33

• The backdoor activated silently and contacted an external C2 server to fetch a file named 'wp-comments-posts.php', which injected malware into 'wp-config.php'.

  First reported: 15.04.2026 23:33
  1 source, 1 article
  Show sources

  • WordPress plugin suite hacked to push malware to thousands of sites — www.bleepingcomputer.com — 15.04.2026 23:33

• The injected malware remained invisible to site owners by displaying spam, redirects, and fake pages only to search engine crawlers such as Googlebot.

  First reported: 15.04.2026 23:33
  1 source, 1 article
  Show sources

  • WordPress plugin suite hacked to push malware to thousands of sites — www.bleepingcomputer.com — 15.04.2026 23:33

• The C2 server used Ethereum-based address resolution for evasion, indicating an attempt to blend malicious traffic with legitimate blockchain-related requests.

  First reported: 15.04.2026 23:33
  1 source, 1 article
  Show sources

  • WordPress plugin suite hacked to push malware to thousands of sites — www.bleepingcomputer.com — 15.04.2026 23:33

• WordPress.org responded by closing the affected plugins and issuing a forced update to disable the backdoor’s execution path and neutralize its C2 communication.

  First reported: 15.04.2026 23:33
  1 source, 1 article
  Show sources

  • WordPress plugin suite hacked to push malware to thousands of sites — www.bleepingcomputer.com — 15.04.2026 23:33

• The forced update did not clean or restore the wp-config.php file, leaving websites vulnerable to persistent compromise and requiring manual remediation.

  First reported: 15.04.2026 23:33
  1 source, 1 article
  Show sources

  • WordPress plugin suite hacked to push malware to thousands of sites — www.bleepingcomputer.com — 15.04.2026 23:33

• PatchStack analysis indicates the backdoor only activated if the 'analytics.essentialplugin.com' endpoint returned malicious serialized content.

  First reported: 15.04.2026 23:33
  1 source, 1 article
  Show sources

  • WordPress plugin suite hacked to push malware to thousands of sites — www.bleepingcomputer.com — 15.04.2026 23:33