More than 30 trusted WordPress plugins were bought by an attacker and then secretly altered to carry malware, exposing a major weakness in how the platform relies on trust.
The plugins, sold via Flippa for a six-figure sum, were updated in August 2025 with hidden backdoor code disguised as a routine compatibility fix. The attacker then waited eight months before activating it, allowing the plugins to build trust across thousands of sites.
In April 2026, the payload was triggered, injecting code into critical files and serving SEO spam only to search engines, leaving site owners unaware. WordPress shut down 31 plugins, but compromised sites required manual cleanup.
A separate attack on Smart Slider 3 Pro, affecting 800,000+ sites, showed the same weakness: trusted plugins can push malicious updates with no code signing or ownership checks.
Businesses should treat plugins as a supply chain risk. Limit usage, review updates carefully, monitor key files, and keep clean backups to recover quickly if compromised.
