- A malicious actor purchased 31 WordPress plugins from Essential Plugin
- Updates injected backdoors, granting full access to the site
- Spam campaigns hidden from owners, C2 solved by Ethereum smart contract
A hacker purchased more than 30 legitimate WordPress plugins and abused their good reputation to infect tens of thousands of websites with backdoors.
Austin Ginder, founder of Anchor Hosting, reported how a customer recently alerted him to a known plugin that was suddenly allowing access by unauthorized third parties. The investigation led him to a somewhat disturbing discovery: a company that developed 31 WordPress plugins, both free and premium versions, was sold in early 2025 to a person who called himself “Kris.”
That person then added malicious code to all the plugins and pushed the update to WordPress websites that were actively using them.
Article continues below.
Injecting sophisticated code
The malicious company is called Essential Plugin and claims that its products have been installed more than 400,000 times and are actively used by more than 15,000 customers. The official WordPress repository shows more than 20,000 active WordPress installations.
The malware was essentially a backdoor that gave the attacker full access to the websites. The goal appears to have been to propagate existing spam campaigns:
“The injected code was sophisticated,” Ginder explained. “It fetched spam links, redirects, and fake pages from a command and control server. It only showed the spam to Googlebot, making it invisible to the site owners. And here’s the wildest part. It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain deletions wouldn’t work because the attacker could update the smart contract to point to a new domain at any time.”
The full list of compromised plugins can be found at this link. If you are using any of these, it would be wise to replace them with a safer alternative. Ginder also shared a patching method on her blog.
Meanwhile, WordPress removed all malicious plugins from the repository.
Through TechCrunch
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
