Backdoor in 30+ WordPress Plugins: PHP Deserialization & C2 in Ethereum Contract
A hacker acquired over 30 popular WordPress plugins via the marketplace Flippa, embedded a hidden backdoor using PHP deserialization, and activated it eight months later to spread SEO spam. The command-and-control (C2) server is disguised within an Ethereum smart contract, making it resilient to standard domain takedowns. Compromised plugins from Essential Plugin (formerly WP Online Support) were removed from WordPress.org on April 7, 2026.
How the Backdoor Was Injected
The backdoor appeared in the first SVN commit by the new owner in August 2025. In the file class-anylc-admin.php, 191 lines of code were added under the guise of compatibility checks for WordPress 6.8.2. Key components:
- The
fetch_ver_info()method fetches data from a remote server usingfile_get_contents()and applies@unserialize(). - The
version_info_clean()method executes arbitrary functions—function name, arguments, and payload are pulled from the deserialized response. - A REST API endpoint with
permission_callback: __return_true— no authentication required.
This is a classic arbitrary function call exploit. The backdoor lay dormant for eight months, silently accumulating installations to break ties with the original developer’s ownership.
Activation occurred between April 5–6, 2026: the wpos-analytics module downloaded wp-comments-posts.php from analytics.essentialplugin.com and injected PHP code into wp-config.php. The payload implements cloaking for Googlebot—spam links, redirects, and fake pages visible only to search engine crawlers.
Resilient C2 via Ethereum
The C2 domain isn’t hardcoded or DNS-based. Instead, the backdoor queries public Ethereum RPC endpoints (Infura, Alchemy) and reads the current server address directly from a smart contract.
Trade-offs of this approach:
- Pros for attacker: One transaction (~$3 gas) updates the domain for all infected sites. Domain takedowns are useless—the contract lives forever on the blockchain.
- Cons: Transactions are public, enabling contract monitoring. Blocking RPC access at hosting/WAF level works—but risks disrupting legitimate dApps.
Compromise: decentralization makes shutdown harder, but simplifies detection through on-chain analysis.
Acquisition History and Background
The business, founded in 2015 (Minesh Shah et al.), rebranded as Essential Plugin, ran 30+ free plugins with premium tiers. Revenue dropped 35–45% by late 2024 and was listed on Flippa. Buyer "Kris," experienced in SEO, crypto, and online casinos, paid a six-figure sum.
Similar pattern: in 2017, "Daley Tias" bought Display Widgets (200k installs) for $15k and introduced spam. Scale expanded to 30+ plugins with advanced infrastructure.
Full List of Compromised Plugins
WordPress.org removed them on April 7, 2026. Immediately check and remove:
- Accordion and Accordion Slider
- Album and Image Gallery Plus Lightbox
- Audio Player with Playlist Ultimate
- Blog Designer for Post and Widget
- Countdown Timer Ultimate
- Featured Post Creative
- Footer Mega Grid Columns
- Hero Banner Ultimate
- HTML5 VideoGallery Plus Player
- Meta Slider and Carousel with Lightbox
- Popup Anything on Click
- Portfolio and Projects
- Post Category Image with Grid and Slider
- Post Grid and Filter Ultimate
- Preloader for Website
- Product Categories Designs for WooCommerce
- Responsive WP FAQ with Category (sp-faq)
- SlidersPack — All in One Image Sliders
- SP News And Widget
- Styles for WP PageNavi — Addon
- Ticker Ultimate
- Timeline and History Slider
- Woo Product Slider and Carousel with Category
- WP Blog and Widgets
- WP Featured Content and Slider
- WP Logo Showcase Responsive Slider and Carousel
- WP Responsive Recent Post Slider
- WP Slick Slider and Image Carousel
- WP Team Showcase and Slider
- WP Testimonial with Widget
- WP Trending Post Slider and Widget
Cleanup Checklist
Forced updates (e.g., 2.6.9.1) only added return;—the wpos-analytics module remains active. Act now:
wp plugin list --format=csv— verify authors (Essential Plugin, WP Online Support).- Delete and reinstall from trusted sources.
grep -E "wp-comments-posts|file_get_contents|unserialize" wp-config.phpgrep -E "0x[a-f0-9]{40}|eth_call|infura|alchemy" wp-config.php- Check
stat wp-config.php(modification time). - Review logs:
analytics.essentialplugin.com, Ethereum RPC activity from March–April 2026. - Submit site again in Search Console post-cleanup.
Key Points:
- Backdoors exist in releases after August 2025—code persists even after updates.
- C2 in Ethereum contracts resists DNS blocks—monitor RPC usage.
- Cloaking affects only Googlebot—site appears clean to users.
- Supply-chain attacks scale via Flippa without due diligence.
- Code diff vs changelog audit is mandatory for production environments.
Defending Against Supply-Chain Attacks
WordPress.org should implement maintainer verification and automated SVN diff checks. For mid/senior developers:
- Automate diffs: changelog mentions "compatibility" + 191 extra lines = red flag.
- WAF rules: block RPC calls from suspicious endpoints.
- Monitoring: track on-chain contract transactions and outbound connections.
Scale has grown—from 9 plugins in 2017 to over 30 today. Audit your sites immediately.
— Editorial Team
No comments yet.