A supply-chain attack on WordPress plugins exposes thousands of sites after a silent ownership change, highlighting critical gaps in open-source governance and trust.
Dozens of plugins used within WordPress have been taken offline after a malicious backdoor was discovered, enabling attackers to inject harmful code into websites relying on these tools. The affected plugins, with over 400,000 installs, 15,000 customers, and presence across 20,000 active sites, point to large-scale exposure across the global web ecosystem.
The incident has been identified as a software supply-chain attack, where malicious code was introduced following a change in ownership. The backdoor remained dormant before activating in early April 2026, distributing malicious payloads at scale.
Austin Ginder, Founder of Anchor Hosting, raised the alarm, and described a supply-chain attack on a WordPress plugin maker called Essential Plugin.
Plugins inherently require deep access to site infrastructure, making them high-risk if compromised. However, no user notification mechanism exists for ownership changes, exposing a major blind spot in open-source ecosystems.
The plugin portfolio, originally developed by Minesh Shah, Anoop Ranawat, and Pratik Jain under WP Online Support, was rebranded as Essential Plugin and later sold in 2024 after a 25–30% revenue decline. The buyer, identified as “Kris,” reportedly had a background in SEO, crypto, and online marketing. The backdoor was inserted post-acquisition.
This marks the second plugin hijack in weeks, signalling a growing trend of weaponising open-source trust. Affected plugins have been permanently removed, with users urged to uninstall them immediately and audit their systems.
The incident underscores the urgent need for stronger governance, transparency, and post-acquisition code audits across open-source ecosystems.
