Someone has apparently snaffled up 31 WordPress plugins and wedged a backdoor in each one

Computer code and text displayed on computer screens. Photographer: Chris Ratcliffe/Bloomberg — (Image credit: Chris Ratcliffe/Bloomberg via Getty Images)

Rather than juggling way too many tabs in Chrome, I sweep them all into OneTab and promptly forget about them—extensions and plugins are great. If I still had my own blog, I'd probably use them for all sorts of things, but third-party platform add-ons also represent a security concern.

It's important to double-check the provenance of anything you're considering adding, though I suspect few attackers will be quite as ambitious as the person who bought 30 WordPress plugins and then installed backdoors in all of them.

Countdown Timer Ultimate was originally built by a team called Essential Plugin. Due to a decline in revenue, the founders sold their entire business on Flippa, a private marketplace for buying and selling online outfits like Essential Plugin. The platform itself shared a case study on the six-figure sale in 2025. According to Ginder's timeline, the new owner allegedly planted the backdoor barely a month after that glowing post went up on Flippa.

The backdoor wasn't weaponised until about April 5, 2026, according to the blog, with the WordPress plugins team moving to shut down all 31 of Essential Plugin's offerings. Quick action is definitely welcome in a situation like this, but Ginder criticises the fact that no users would have suspected anything was up until the attack began.

Person typing on a laptop with red and blue lighting — (Image credit: Westend61)

He writes, "WordPress.org has no mechanism to flag or review plugin ownership transfers. There is no 'change of control' notification to users. No additional code review triggered by a new committer."

Worse still, Ginder reports this sort of hijack is not uncommon. Ginder shares one story from 2017 where someone "purchased the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam." He also shares another story from earlier this very month, where someone launched a supply chain attack via the previously trusted Widget Logic WordPress plugin.

For context, the Essential plugin team's website is still live, touting "15,000+ Global Happy Customers." That's a lot of users who could have been potentially affected—how many of them would have no idea until either WordPress took the plugins down, or they independently stumbled across news coverage of the polluted plugins themselves? It's hard not to see Ginder's argument.

Best gaming rigs 2026

1. Best gaming laptop: Razer Blade 16

2. Best gaming PC: HP Omen 35L

3. Best handheld gaming PC: Lenovo Legion Go S SteamOS ed.

4. Best mini PC: Minisforum AtomMan G7 PT

5. Best VR headset: Meta Quest 3

👉Check out our list of guides👈

TOPICS

Jess has been writing about games for over ten years, spending a significant chunk of that time working on print publications PLAY and Official PlayStation Magazine. When she’s not investigating all things hardware here, she's either constructing a passionate defence of a 7/10 game, daydreaming about her debut novel, or feeling wistful about the last time she chased some nerds around a field with an oversized foam sword.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.