30 WordPress Plugins Turned Into Malware After Ownership Change

Source: Slashdot

Overview

More than 30 WordPress plugins have been compromised with malicious code that allows unauthorized access to sites running them. The backdoor was planted last year and began being pushed to users via updates only recently, generating spam pages and causing redirects as instructed by a command‑and‑control (C2) server.

Compromise Details

• The compromise affects plugins with hundreds of thousands of active installations.
• It was first spotted by Austin Ginder, founder of managed WordPress hosting provider Anchor Hosting, after a tip about an add‑on containing code that allowed third‑party access.
• Ginder’s investigation revealed that a backdoor had been present in all plugins within the EssentialPlugin package since August 2025, after the project was acquired in a six‑figure deal by a new owner.

“The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command‑and‑control server. It only showed the spam to Googlebot, making it invisible to site owners,” – Austin Ginder

• WordPress.org’s v2.6.9.1 update neutralized the phone‑home mechanism in the plugin, but it did not modify wp-config.php. The SEO spam injection continued to serve hidden content to Googlebot.
• The C2 domain was resolved through an Ethereum smart contract, querying public blockchain RPC endpoints. This technique bypasses traditional domain takedowns because the attacker can update the contract to point to a new domain at any time.

History of Similar Incidents

• In 2017, a buyer using the alias “Daley Tias” purchased the Display Widgets plugin (≈200 k installs) for $15,000 and injected payday‑loan spam.
• That buyer later compromised at least nine additional plugins using the same method.

These incidents highlight a broader trust problem in the WordPress plugin marketplace.

WordPress.org Policies and Response

• WordPress.org has no mechanism to flag or review plugin ownership transfers.
• There is no “change of control” notification to users, nor any additional code review triggered by a new committer.
• The Plugins Team responded quickly once the attack was discovered, but eight months elapsed between the backdoor being planted and its detection.

Sources

• Slashdot: 30 WordPress Plugins Turned Into Malware After Ownership Change (credit to Slashdot reader axettone)