31 WordPress plugins were secretly backdoored — if your office runs a WordPress site, here's what to check right now. ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­    ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­  
View in browser
ESX Form Banner

WordPress is free, open-source software used to build and run websites. It powers more than 40 percent of the sites on the internet (W3Techs, April 2026), including many government and election office websites. Most WordPress sites rely on plugins: small add-on programs that extend what a site can do, such as contact forms, event calendars, image galleries, and countdown timers. A typical site runs a dozen or more plugins, and in most setups, they update automatically in the background. That auto-update path is efficient, and it is also what made this attack possible.

A portfolio of 31 popular WordPress plugins was acquired last year. The new owner gained the ability to push updates to every site running these plugins and secretly inserted a backdoor. This malicious code was activated recently. Since WordPress powers a large share of the internet's websites and its plugins typically auto-update, the malicious code spread to thousands of sites overnight without any notification to site owners. WordPress suspended all 31 plugins quickly. However, affected websites require a manual review to be fully cleaned. Election offices using WordPress websites should take note, and for everyone else, this serves as a stark reminder of supply chain risk, where a trusted source becomes the attack vector.

 

Key takeaways

  • The Threat: Approximately 31 WordPress plugins were altered last year to insert a backdoor in the code, which was lying in wait. The malicious code was recently activated. This is a supply chain attack: the threat entered through a trusted software vendor rather than through a direct attack on individual sites.
  • Immediate Actions You Can Take: Ask your IT staff or website vendor today: are any of the 31 affected plugins installed on our website? If yes, remove them immediately, treat the site as compromised, rotate all administrative passwords, and manually review the site for malicious activity.
  • Broader Risk: This incident is not isolated. Supply chain attacks, in which trusted software, hardware, or suppliers are compromised, are growing and documented in open-source systems, such as WordPress plugins. Knowing what software runs on your website, who maintains it, and how updates are reviewed is an essential security requirement.

What happened

In 2025, a plugin company called EssentialPlugin was sold through Flippa, an online marketplace for digital businesses. The buyer inherited publishing rights, meaning the ability to push software updates for inherited website plugins, where the new owner pushed malicious code hidden inside a routine software release to provide backdoor access. The malicious code sat dormant for months. However, it was activated this month. 


WordPress quickly discovered the compromise and released an emergency fix (version 2.6.9.1) for sites running affected plugins. The incident was initially reported by Austin Ginder of Anchor Hosting and subsequently covered by TechCrunch, Yahoo!Tech, and others.

 

A few mechanisms made this attack more effective:

  • Trusted Channel: Depending on site settings, plugin updates can be automatically applied. Once malicious code was inserted into the plugin, it reached sites running it, with limited or no human review.

  • No Ownership Notification: Website owners don't have full visibility when software ownership changes. The buyer inherited full publishing rights.
  • Cloaking: The injected code served normal-looking content to website owners and visitors, while serving search engines spam to Google's search crawler. Site owners had no visible indication that anything was wrong.

Why this matters

Election websites are among the most trusted sources for voters seeking information on election dates, voting hours, candidates, unofficial results, and more. That trust is exactly what puts them at risk. If a plug-in gets compromised, the damage can be far greater than the complexity of the attack would suggest.

 

The cloaking technique used in this instance is especially relevant for election officials, where website administrators may see normal content while inaccurate or manipulated information is served to search engines. A voter searching for “county polling locations” could be shown a page pulled from your website, but with inaccurate information or links to a fraudulent site. And you may not notice it right away, as that information takes time to work its way through the search engine ecosystem.

 

What to Watch For

  • Unexpected Updates: Any plugin updates, changelog entries that seem unfamiliar from an unrecognized publisher, or other odd activity should be scrutinized.

  • Unfamiliar Plugins: Notice any plugins that are unknown or that you don't recognize.
  • Search Results That Don't Match Your Site: If a Google search of your office's site returns questionable results, treat it as a potential sign of cloaking and contact your web administrator right away.

What You Can Do Now

  • Check for the affected plugins. Ask your website administrator to inventory every plugin on your site and compare it against the list of affected plugins.

  • If any affected plugin is found, treat the site as compromised. Remove the plugin, change all user passwords and database credentials, restore the site from a backup taken prior to the malicious activity, and verify your site's main configuration file has not been tampered with.
  • Apply the emergency patch if it has not already been applied. WordPress has pushed a sanitized version (2.6.9.1) for all affected plugins. Confirm that your site is running that version, or that any affected plugins have been removed. Note: the patch disables the active attack, but does not fully clean an already compromised site.
  • Ask your website provider for a Software Bill of Materials (SBOM). Request a plain inventory of every software component on your site, so you can quickly confirm whether you are affected when incidents like this one occur.
  • Ask your website administrator or vendor a few key questions:
    • What plugins are installed and who maintains them? If a list can't be produced quickly, that's a gap to close immediately.
    • Are updates reviewed before being applied?
    • Is the site monitored for unauthorized file changes or suspicious activity?
    • How quickly would you notify us if our site were compromised?
    • Do we have backups we can restore from?
    • Are user accounts routinely audited and protected with MFA?
  • Report confirmed compromises. Contact your regional CISA advisor and file a report with the FBI's Internet Crime Complaint Center at IC3.gov. You should also notify your jurisdiction's chief election official.
LinkedIn
YouTube
Email
Website

Copyright © 2026 Election Security Exchange. All rights reserved. TLP:CLEAR

 

You are receiving this email because you subscribed to the Election Security Exchange Alerts & Advisories.

 

Find this useful? Pass it along and invite other election teams to subscribe.
Subscribe

Election Security Exchange

712 H Street NE, Suite 2456

Washington, DC, 20002, United States

Unsubscribe Manage Preferences