Published: 2026 Apr 22
i think it's a bit late to post this, i had learned about this days ago, but was too lazy to write it up, so here we go. so on 6th April, in between 4:22 and 11:06 UTC, almost all WordPress websites using the 'Essential Plugins' portfolio became victims of, in my perspective, the most sophisticated supply-chain attacks the platform has ever seen.
the reason was pretty evident, as if any of you are in touch with web development or web sec, you might know that, WordPress's Plugin system is essentially a swamp infested with vulnerabilities. and the main reason i don't use and nearly avoids using WP is because of this. before learning about the vulns or the attack, you should know that the whole thing of the Plugins in WP are that these are essentially just php scripts which an owner of a WP site uses to add extra functionality that WP doesn't offer by itself, and due to this the whol deal of the Plugins is insanely popular in the platform, but i myself don't think that WP has done a thing of quality to make this system secure, and because of that the platform rarely ever monitors the transfer of ownership of these Plugins(more like insecure php scripts) or do they check on how secure this things are and if there is any zero-days in them.
now we're getting to the attack. likely on the August of 2025, a very nice person by the moniker of 'Kris' legitimately bought the full Essential Plugins Portfolio of WP through the didgital market Flippa for some six-figure sum. then the person waited for nearly 8 months before doing anything. and after the long hiatus, on 6th April, in the timeframe i mentioned, a C2 domain called analytics.essentialplugin.com(it's a common thing in these areas to name the C2 with the word, 'analytics') started to distribute pesky payloads to all the sites using the vulnerable plugins, then as y'all would've guessed the, the plugins downloaded this payload and then they were compromised were attacked. the aim of the attack was apparently to cloak the search rankings, meaning to manipulate the rankings through attacking the search engine crawlers, so that changes the plot, now y'all can see that Kris targeted to manipulate the search rankings of the sites affected, not by actually attacking the sites themselves but using the plugins in these sites as vectors to sending the malicious payloads to the crawler, all done well thanks to how sloppy WP's monitoring systen was.
so this was all done through planting a backdoor in the plugins which let the C2 domain to inject the payloads. and Kris planted the backdoor after buying the Plugins, and this was hella easy as here, you aren't a megabrained mr.robot trying to get into a system and plant a backdoor, but your having the admin privilege for doing anything to the Plugin, so with that Kris could just type up somd lines of php and execute. the malicious code(the backdoor) was planted in v2.6.7 of the Plugin on the August of 2025, the same month Kris bought the Plugin(boy the person is KEEN), the changelog was ofcourse titled as a very innocent thing titled, “Check compatibility with WordPress version 6.8.2". this 191 lines of code sat silent for the whole 8 months. and when the day came, it was activated, then the Plugin's internal wpos-analytics module downloaded the file, which went by the title of wp-comments-post.php and then used that file to inject the code to the most vital file of any WP site, the wp-config.php. then the payload fetched spam links, fake pages etc. and fed them to the Googlebot. and as i said the code didn't do anything visible to the site, and the admins of those sites couldn't see any of this happening, as the code only fed the malicious code to the crawler. the C2 domain was itself pretty clever, instead of a usual domain which coud get seized easily, Kris deployed a tactic which is also seen in my project, ColdStrain as the C2 resolved C2 server through an Ethereum smart contract, which meant Kris could change the domain frequently and change it as much as wanted, hence making it insanely difficult to takedown or blacklist the domain. this whole attack could've been even worse if it had targeted something more vital and had a bit more sophistication than search ranking manipulation, perhaps the user/visitor data if tye website had been a shopping site of sort, as these Plugins or php scripts or whatever have admin privileges in the site they are deployed.
and with this attack the sloppiness of WP's Plugin auditing system(or the lack of one) was crystal clear and WP could mitigate this entire attack if it had a robust auditing system, as it could easily catch the backdoor instantly(the problem being that the code is reviewed by WP when a Plugin is created but if it goes through a ownership transfer, nothing is done), and because of this stupidity, alot of sites had a bad time.