Backdoor discovered in dozens of WordPress plugins after corporate takeover

A significant supply chain attack has compromised dozens of plugins for the widely used WordPress content management system, exposing thousands of websites to malicious code. The backdoor was discovered by Anchor Hosting founder Austin Ginder after the plugins' parent company, Essential Plugin, was acquired by a new owner last year.

According to Ginder's blog post, the malicious code lay dormant within the plugins' source code until earlier this month, when it activated and began pushing harmful scripts to any website with the affected plugins installed. The plugins have since been permanently removed from the official WordPress directory.

Scale of the Compromise

Essential Plugin claims on its website to have over 400,000 plugin installs and more than 15,000 customers. Data from WordPress indicates the compromised plugins were active in over 20,000 installations. This incident marks the second hijack of a WordPress plugin discovered in as many weeks, highlighting a growing security concern.

Security experts have long warned of the risks posed by malicious actors purchasing legitimate software companies to compromise their user bases. "WordPress users are not notified of any plugins’ change in ownership," Ginder warned, "exposing users to potential takeover attacks by their new owners."

Response and Recommendations

While the plugins are now offline, Ginder has urged all WordPress website administrators to check their installations immediately and remove any of the affected plugins. A full list of the compromised software is available in his original blog post.

Representatives for Essential Plugin did not respond to requests for comment from TechCrunch. The incident underscores the critical vulnerabilities that can be introduced through third-party extensions in widely used open-source platforms.