A number of plug-ins for WordPress have been taken offline after security researchers uncovered a backdoor used to distribute malicious code to affected websites.
The vulnerability was identified following a change in ownership of plug-in developer Essential Plugin, according to cybersecurity researchers. The backdoor, reportedly inserted into the plug-ins’ source code after the acquisition, remained dormant before activating earlier this month.
Once triggered, the malicious code was pushed to websites running the compromised plug-ins, potentially exposing thousands of installations to security risks. Essential Plugin claims to have served over 400,000 installations, while WordPress data indicates tens of thousands of active deployments.
Security experts have warned that plug-ins, which require deep access to website systems, can become attack vectors if compromised. The incident highlights risks associated with supply chain attacks, particularly when software ownership changes without user awareness.
The affected plug-ins have since been removed from the WordPress directory. Website administrators are being advised to review their installations and remove any compromised extensions to prevent further exposure.
