Over 30 WordPress plugins in the EssentialPlugin package were compromised with a backdoor planted after the project was acquired in a six-figure deal in August 2025. The backdoor remained dormant until recently activated, silently contacting external infrastructure to inject malware into wp-config.php. The malware used Ethereum-based C2 address resolution for evasion and only showed spam links and fake pages to Googlebot, making it invisible to site owners. WordPress.org responded by closing the plugins and pushing a forced update to neutralize the backdoor, but warned that wp-config.php may still be infected and that malware could be hiding in additional files beyond the known wp-comments-posts.php location.
Sort: