Buyer Spends Six Figures on WordPress Plugins, Plants Backdoors in All 31 for Mass Compromise

A buyer shelled out six figures for a portfolio of 31 WordPress plugins last year. Eight months later, those plugins turned malicious. Backdoors hidden in routine updates compromised thousands of sites, injecting SEO spam invisible to owners but tailored for Googlebot.

The plot unfolded quietly. Essential Plugin, started in 2015 as WP Online Support by Minesh Shah and team in India, built popular add-ons like sliders, galleries, and countdown timers. Revenue dropped 35% to 45% by late 2024. Shah listed the business on Flippa. Enter “Kris,” with a resume in SEO, crypto, and online gambling marketing. The deal closed early 2025. Flippa touted it as a success story in a July case study.

New owner. New WordPress.org account: essentialplugin, created May 12, 2025. Original author headers swapped out by mid-May. Then, August 8, 2025. First commit from the new account hits version 2.6.7 across plugins. Changelog reads bland: “Check compatibility with WordPress version 6.8.2.” Reality? 191 lines of backdoor code slipped into the wpos-analytics module, masquerading as an opt-in stats tool.

Austin Ginder caught it. Founder of Anchor Hosting, a managed WordPress provider. A client tip flagged odd code in Countdown Timer Ultimate, a plugin with tens of thousands of installs. Ginder dug deeper. Every Essential Plugin title carried the same payload. “The injected code was sophisticated,” he wrote in his April 9 blog post. “It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners.”

Backdoor mechanics. Unauthenticated REST API endpoint. Permission callback: __return_true. Fetches from analytics.essentialplugin.com. Unserializes the response. Boom. Remote code execution via PHP deserialization RCE. Downloads wp-comments-posts.php—note the extra “s.” That file appends 6KB of PHP to wp-config.php, right before require_once ABSPATH . ‘wp-settings.php’;. Dormant until April 5-6, 2026. Then activation. Sites phone home between 04:22 and 11:06 UTC on April 6. wp-config.php balloons from 3.3KB to 9.5KB.

C2 evasion? Wild. Domain resolved via Ethereum smart contract. Public blockchain RPC queries point to the real server. Takedown one domain? Update the contract. New one live instantly. Perfect for a buyer versed in crypto.

WordPress.org moved fast. April 7, Plugins Team closes all 31 titles permanently. April 8, forces update to 2.6.9.1. Comments out the backdoor line with return;. Neutralizes phone-home. But wp-config.php? Untouched. Malware lingers. “WordPress.org’s v2.6.9.1 update neutralized the phone-home mechanism in the plugin,” Ginder noted. “But it did not touch wp-config.php. The SEO spam injection was still actively serving hidden content to Googlebot.”

Scale. Over 400,000 installs. 15,000 premium customers. 20,000+ active sites per TechCrunch. Hundreds of thousands vulnerable, per BleepingComputer. Full list: Accordion and Accordion Slider (accordion-and-accordion-slider), Album and Image Gallery Plus Lightbox (album-and-image-gallery-plus-lightbox), Audio Player with Playlist Ultimate (audio-player-with-playlist-ultimate), Blog Designer for Post and Widget (blog-designer-for-post-and-widget), Countdown Timer Ultimate (countdown-timer-ultimate), Featured Post Creative (featured-post-creative), Footer Mega Grid Columns (footer-mega-grid-columns), Hero Banner Ultimate (hero-banner-ultimate), HTML5 VideoGallery Plus Player (html5-videogallery-plus-player), Meta Slider and Carousel with Lightbox (meta-slider-and-carousel-with-lightbox), Popup Anything on Click (popup-anything-on-click), Portfolio and Projects (portfolio-and-projects), Post Category Image with Grid and Slider (post-category-image-with-grid-and-slider), Post Grid and Filter Ultimate (post-grid-and-filter-ultimate), Preloader for Website (preloader-for-website), Product Categories Designs for WooCommerce (product-categories-designs-for-woocommerce), Responsive WP FAQ with Category (sp-faq), SlidersPack – All in One Image Sliders (sliderspack-all-in-one-image-sliders), SP News And Widget (sp-news-and-widget), Styles for WP PageNavi – Addon (styles-for-wp-pagenavi-addon), Ticker Ultimate (ticker-ultimate), Timeline and History Slider (timeline-and-history-slider), Woo Product Slider and Carousel with Category (woo-product-slider-and-carousel-with-category), WP Blog and Widgets (wp-blog-and-widgets), WP Featured Content and Slider (wp-featured-content-and-slider), WP Logo Showcase Responsive Slider and Carousel (wp-logo-showcase-responsive-slider-slider), WP Responsive Recent Post Slider (wp-responsive-recent-post-slider), WP Slick Slider and Image Carousel (wp-slick-slider-and-image-carousel), WP Team Showcase and Slider (wp-team-showcase-and-slider), WP Testimonial with Widget (wp-testimonial-with-widget), WP Trending Post Slider and Widget (wp-trending-post-slider-and-widget).

Not isolated. Echoes 2017: “Daley Tias” buys Display Widgets (200,000 installs) for $15,000. Injects payday loan spam. Hits nine plugins total. Now this. Second in two weeks, per Ginder—Widget Logic fell earlier, swapped for JavaScript injection. WordPress.org lacks ownership transfer flags. No user alerts. No extra code reviews for new committers. Acquisitions blend into routine SVN commits.

“WordPress.org has no mechanism to flag or review plugin ownership transfers,” Ginder wrote. “There is no ‘change of control’ notification to users. No additional code review triggered by a new committer.” Plugin ecosystem: Wild West. 96% of WP vulnerabilities from add-ons. Auto-updates amplify risks.

Fixes. Delete plugins. Scan wp-config.php for bloat or wp-comments-posts.php. Restore from clean backup. Nuke wpos-analytics folders. Ginder’s patch script: targeted. Broader advice from TechSpot and others: Minimize plugins. Vet developers. Watch file sizes, logs. Patchstack confirmed via analysis.

Reactions poured in. Hacker News threads lit up, slamming trust models. Reddit’s r/Wordpress: “Plugins are the cause in almost all cases.” X buzzed with warnings. ThaiCERT urged scans. WP Poland eyed AI defenses, per recent post.

Supply chain attacks scale easy. Buy trust. Weaponize it. WordPress powers 43% of the web. Plugin reliance? A ticking bomb. Kris vanished. essentialplugin.com WHOIS: “Kim Schmidt” in Zurich, ProtonMail. C2: “closed.” Damage lingers. Sites still serve spam to bots. Owners none the wiser.

Industry insiders know. Blind faith in updates kills. Time to audit. Hard.