Attacker Bought 30 WordPress Plugins on Flippa and Backdoored All of Them

May 6, 2026

Scroll

Posted 2 hours ago by
InfoQ

An attacker purchased 30+ WordPress plugins on Flippa for six figures, planted a PHP deserialization backdoor in the first commit, and waited eight months before activating it across 400,000 installations. The attack used Ethereum smart contracts to resolve C2. WordPress.org has no mechanism for reviewing plugin ownership transfers, a gap that npm and PyPI addressed years ago.

By Steef-Jan Wiggers

Read Full Article

InfoQ

Coverage and analysis from Canada. All insights are generated by our AI narrative analysis engine.

Canada

Bias: center

People's Voices (0)

0/500

Note: Comments are moderated. Please keep it civil. Max 3 comments per day.

No recent articles found in this language.

0

Attacker Bought 30 WordPress Plugins on Flippa and Backdoored All of Them

May 6, 2026

Posted 2 hours ago by
InfoQ

InfoQ

People's Voices (0)

Leave a comment

You might also like

Explore More

Explore

Categories

News From

0

Attacker Bought 30 WordPress Plugins on Flippa and Backdoored All of Them

May 6, 2026

Posted 2 hours ago by InfoQ

InfoQ

People's Voices (0)

Leave a comment

You might also like

Explore More

Posted 2 hours ago by
InfoQ