Security Bulletin: Essential Plugin Supply Chain Attack (April 2026)

Date: April 16, 2026
Severity: Mitigated
Impact to WPCloud clients: No active exploitation detected

Summary

In April 2026, a supply chain attack was discovered affecting over 30 WordPress plugins from a developer called Essential Plugin (formerly WP Online Support). The plugins were acquired by a new owner in early 2025 who planted a backdoor in all of them. WordPress.org permanently closed all 31 affected plugins on April 7, 2026.

WPCloud’s SOC team detected the threat on April 5, before it was publicly disclosed, and completed full remediation across our infrastructure on April 15, 2026. All affected clients have been contacted directly.

Am I affected?

If you received a WHMCS ticket from WPCloud about this issue, your site had one of the affected plugins installed. We have already removed the malicious code. The plugin still works, but it will never receive updates again. You should find a replacement plugin when practical.

If you did not receive a ticket, your sites do not use any of the affected plugins. You have no exposure and no action is required.

What happened

The Essential Plugin developer portfolio, which included plugins like Popup Anything on Click, WP Logo Showcase Responsive Slider, WP Slick Slider and Image Carousel, and others, was sold through a marketplace called Flippa in early 2025. The new owner added a hidden PHP backdoor disguised as an analytics module to every plugin. These modified versions were distributed through WordPress.org as routine updates for approximately eight months.

On April 5 and 6, 2026, the backdoor was activated. On April 7, WordPress.org permanently closed all 31 plugins.

TechCrunch covered the story here:
https://techcrunch.com/2026/04/14/someone-planted-backdoors-in-dozens-of-wordpress-plugins-used-in-thousands-of-websites/

How WPCloud responded

Our SOC team detected signs of the attack on April 5, before public disclosure. We immediately reported the threat to the Imunify360 security team, who began developing a firewall rule. While that work was underway, we deployed .htaccess rules across our infrastructure to mitigate the activity.

After WordPress.org closed the plugins on April 7, we began a fleet-wide remediation effort:

• Scanned all 21 WPCloud servers and identified 48 affected plugin instances across 14 servers
• Removed the malicious analytics module from every affected plugin
• Verified that no dropper files or payload injections were present on any site
• Confirmed the attacker’s command-and-control server is offline
• Preserved plugin functionality so sites continue to work normally

Remediation was completed on April 15, 2026. No WPCloud client site was compromised. No dropper files were found anywhere in our fleet, and no wp-config.php files were modified by the attacker.

What clients need to do

If your site had an affected plugin: The plugin still works after our remediation, but WordPress.org has permanently closed these plugins. They will never receive security patches, bug fixes, or compatibility updates. Find and install a replacement plugin when you can.

If your site did not have an affected plugin: Nothing. You are not affected.

Affected plugins

The following plugins were part of the Essential Plugin portfolio. All are permanently closed on WordPress.org:

• Accordion and Accordion Slider
• Album and Image Gallery Plus Lightbox
• Audio Player with Playlist Ultimate
• Blog Designer for Post and Widget
• Countdown Timer Ultimate
• Hero Banner Ultimate
• Popup Anything on Click
• Post Grid and Filter Ultimate
• SP News and Widget
• Slider and Carousel Plus Widget for Instagram
• Timeline and History Slider
• WP Blog and Widgets
• WP FAQ
• WP Featured Content and Slider
• WP Logo Showcase Responsive Slider
• WP Responsive Recent Post Slider
• WP Slick Slider and Image Carousel
• WP Team Showcase and Slider
• WP Testimonial with Widget
• WP Trending Post Slider and Widget

For the full list of all 31 closed plugins, see the TechCrunch article linked above.

Questions?

If you have questions about this issue, open a support ticket through WHMCS and our team will be happy to help.