"The attack, which WordPress.org shut down on 7 April by permanently closing every plugin from the Essential Plugin author, is one of the most methodical supply chain compromises the platform has ever faced - and it exploited a structural vulnerability that WordPress has no mechanism to prevent."
"The malicious code was introduced in version 2.6.7 of the plugins, released on 8 August 2025 with a changelog entry that read 'Check compatibility with WordPress version 6.8.2.' That innocuous note concealed 191 additional lines of PHP, including a deserialization backdoor that would allow remote code execution."
An attacker purchased over 30 WordPress plugins and introduced a PHP deserialization backdoor in August 2025. This backdoor remained dormant for eight months before activating to serve cloaked SEO spam to Googlebot. WordPress.org responded by closing all affected plugins on April 7, 2026. The incident highlighted a structural vulnerability in WordPress, as there is no mechanism to review plugin ownership transfers or enforce code signing for updates. The buyer, linked to SEO and online marketing, had previously been involved in a successful transaction on Flippa.
Read at TNW | Apps
Unable to calculate read time
Collection
[
|
...
]