Ethical Hacking News
The EssentialPlugin package has been hacked, allowing hackers to push malware to thousands of WordPress sites. The incident highlights the ongoing threat landscape and underscores the importance of vigilance among website administrators and developers.
The EssentialPlugin package was hacked and started pushing malware to thousands of sites via updates. A backdoor was present in all plugins within the EssentialPlugin package since August 2025, waiting to be activated. The malware injected into 'wp-config.php' using an Ethereum-based C2 address resolution for evasion. WordPress.org responded by closing the plugins and pushing a forced update, but noted that it did not clean the wp-config core configuration file. Admins with websites running an EssentialPlugin product were warned to be vigilant and check for malware in multiple files.
The world of cybersecurity is always evolving, and it seems that even reputable companies can fall prey to malicious actors. Recently, a prominent WordPress plugin suite has been hacked, allowing hackers to push malware to thousands of sites.
The EssentialPlugin package, which boasts hundreds of thousands of active installations, was compromised with malicious code last year but only recently started pushing it to users via updates. According to Austin Ginder, the founder of managed WordPress hosting provider Anchor Hosting, this malicious activity was triggered after a tip about an add-on containing code that allowed third-party access.
Further investigation by Ginder revealed that a backdoor had been present in all plugins within the EssentialPlugin package since August 2025, when the project was acquired in a six-figure deal by a new owner. The backdoor sat inactive until it was recently activated and silently contacted external infrastructure to fetch a file ('wp-comments-posts.php') that injects malware into 'wp-config.php'.
The downloaded malware is invisible to site owners and uses Ethereum-based C2 address resolution for evasion. Depending on the received instructions, the malware can retrieve "spam links, redirects, and fake pages". According to Ginder, "The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners."
WordPress.org responded quickly to reports of this malicious activity by closing the plugins and pushing a forced update to websites to neutralize the backdoor’s communication and disable its execution path. However, in doing so, the developers warned that the action did not clean the wp-config core configuration file, which connects websites to their databases and includes important settings.
Moreover, WordPress.org cautioned administrators with websites running an EssentialPlugin product that while one known location for the backdoor is a file named wp-comments-posts.php, which resembles the legitimate wp-comments-post.php, the malware may also hide in other files. This highlights the complexity of identifying such malicious actors, who can potentially use multiple vectors to infect sites.
The impact of this incident underscores the importance of vigilance among website administrators and developers. Even seemingly reputable companies can be vulnerable to attacks if they fail to maintain adequate security controls. It is essential for businesses and organizations to stay informed about potential threats and take proactive steps to protect their digital assets from such malicious actors.
In conclusion, the recent incident involving the EssentialPlugin package highlights the ongoing threat landscape in the world of cybersecurity. As with any cybersecurity issue, it is crucial to stay vigilant, maintain robust security measures, and collaborate with experts to prevent similar incidents in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Malware-Hijacks-EssentialPlugin-Package-to-Infect-Thousands-of-WordPress-Sites-ehn.shtml
https://www.bleepingcomputer.com/news/security/wordpress-plugin-suite-hacked-to-push-malware-to-thousands-of-sites/
https://www.techradar.com/pro/security/wordpress-websites-under-attack-expert-report-says-dozens-of-plugins-hijacked-to-target-thousands-of-sites
https://techcrunch.com/2026/04/14/someone-planted-backdoors-in-dozens-of-wordpress-plugins-used-in-thousands-of-websites/
Published: Wed Apr 15 16:29:54 2026 by llama3.2 3B Q4_K_M
