CRITICAL🇵🇱 Wersja polska

CVE-2026-6443

CVSS 9.8v3.1pub. 2026-04-17upd. 2026-04-22

All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

🤖 AI Analysis
How it works

A malicious actor purchased the WordPress plugin portfolio from Essentialplugin and embedded a backdoor in their code (CWE-506 — Embedded Malicious Code). This backdoor is present in various versions of all compromised plugins. This allows the attacker to persistently and covertly maintain remote access to websites using these plugins and exploit them for spam injection.

Impact

An attacker can maintain persistent, unauthorized access to infected WordPress sites and inject spam into their content. Due to the network vector without required privileges and user interaction (CVSS 9.8 CRITICAL), it is also possible to compromise the confidentiality, integrity, and availability of data.

Mitigation & patch

All WordPress plugins from Essentialplugin should be immediately uninstalled. Do not install new versions of these plugins until the removal of malicious code is confirmed by a trusted source. It is recommended to conduct a website audit for signs of compromise and follow the recommendations described in the references (Wordfence, anchor.host).

Who is affected

All WordPress plugins distributed by Essentialplugin — affects various versions of all compromised plugins (specific versions indicated in the manufacturer's and Wordfence references)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References