The WordPress Plugins Team has permanently closed 31 plugins and is exploring AI – driven defenses after a buyer who acquired the portfolio on Flippa planted a backdoor. This breach was activated last week – exactly eight months after the initial acquisition took place.
Austin Ginder, the founder of Anchor Hosting, discovered the threat on April 9 after a client noticed a security warning. His audit found that Countdown Timer Ultimate – part of the “Essential Plugin” suite – was connecting to a rogue server to fetch a malicious file and inject code into wp-config.php.
The hidden script pulled spam from a command – and – control server, targeting Googlebot to evade detection by site owners. Ginder found the C2 domain operated via an Ethereum smart contract – a tactic chosen specifically to resist traditional domain takedown attempts.
“The buyer’s very first SVN commit was the backdoor,” Ginder wrote.
The Essential Plugin portfolio was originally built by the Indian team WP Online Support. After revenue fell by 45%, the owner sold the business on Flippa to a buyer named “Kris” – an individual with a background in SEO and crypto – for a six – figure sum in early 2025.
The backdoor was introduced in version 2.6.7 of Countdown Timer Ultimate in August 2025. Although disguised as a compatibility check for WordPress 6.8.2, the update added a PHP deserialization vulnerability that remained dormant until its activation on April 5, 2026.
On April 7, the Plugins Team shuttered all 31 associated plugins. WordPress.org then pushed a forced auto – update to version 2.6.9.1 the next day to disable the phone – home mechanism, affecting over 250,000 users across tools ranging from sliders to testimonials.
However, the forced update did not clean the wp-config.php file. Ginder warned that sites where the backdoor was already active might still be serving hidden spam. He has since published patched versions of ten plugins and provided guides for cleaning compromised configuration files.
This marks the second WordPress supply chain attack in just two weeks. Ginder previously reported that Widget Logic – a plugin with 3 million downloads – was acquired by a new owner who immediately replaced its functionality with scripts that injected malicious JavaScript into every site page.
Both attacks followed a pattern: buy an established plugin, inherit SVN commit access, and insert a payload. WordPress.org had no prior knowledge of these ownership changes, revealing a major blind spot in the ecosystem’s oversight of developer transfers.
“WordPress.org has no mechanism to flag or review plugin ownership transfers,” Ginder wrote. “There is no ‘change of control’ notification to users. No additional code review triggered by a new committer.”
Francisco Torres of the Plugins Team called the incident “genuinely painful.” He compared the situation to the XZ Utils supply chain breach, noting that the WordPress ecosystem is not immune to these types of coordinated threats from malicious actors.
“Community members identified and reported the issue quickly after the attack began, and within hours the teams involved had deployed a patch to stop it from spreading and warned affected users,” Torres said.
Torres stated that the swift response sends a clear message to those looking to exploit the system. He noted that buying trust only to gamble it for profit is a “despicable” strategy that, in this case, did not actually pay off for the attacker.
He acknowledged that current safety mechanisms are not foolproof and that improvements are necessary. The Plugins Team is now looking into proactive ways to handle these risks, including the use of AI, though Torres declined to reveal specific details.
“Community vigilance remains our most important defense,” Torres said, encouraging site owners to report any suspicious activity to the official plugin security email address.
The breaches come as plugin security faces intense scrutiny following Cloudflare’s launch of EmDash. This new CMS is being pitched as a solution to the persistent security risks that plague the traditional third – party plugin ecosystem.
Administrators running any of the 31 affected plugins should consult Ginder’s original disclosure for recovery steps. Manual inspection of wp-config.php is essential to ensure no malicious payloads remain active on the server.
