Attacker Bought 30 WordPress Plugins on Flippa and Backdoored All of Them

An attacker purchased over 30 WordPress plugins with 400,000 combined installations on Flippa for a six-figure sum, then planted a PHP deserialization backdoor in the very first commit. The backdoor sat dormant for eight months before activating in April 2026, injecting cloaked SEO spam. The attack used an Ethereum smart contract for command-and-control, making traditional domain takedowns ineffective. WordPress.org closed all 31 plugins and pushed a forced update, but did not clean already-compromised wp-config.php files. The incident highlights a structural gap in WordPress's ecosystem: unlike npm and PyPI, it has no mandatory 2FA, provenance attestation, or review process for plugin ownership transfers. The pattern — buy a trusted package, inherit commit access, wait, then strike — is not WordPress-specific and applies to npm, PyPI, browser extensions, and VS Code marketplace as well.