A threat actor purchased a portfolio of 30+ popular WordPress plugins and secretly inserted a backdoor into their code. The malicious code was added shortly after acquisition but remained dormant for about 8 months, avoiding detection.

In April 2026, the backdoor was activated across all affected plugins, allowing attackers to:

• Remotely execute code on infected websites

• Inject hidden SEO spam into core files (like wp-config.php)

• Maintain persistent, hard-to-detect access

If you're using WordPress, it may be worth taking a few precautionary steps:

• Review all installed plugins and remove anything unnecessary or outdated

• Check for recent updates from plugin developers and apply patches promptly

• Monitor for unusual behavior, such as unexpected admin users or traffic spikes

• Ensure backups are current and can be restored if needed