CVE-2026-6443
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| essentialplugin | Accordion and Accordion Slider | 1.4.6 | affected |
| essentialplugin | Portfolio and Projects | 1.5.6 | affected |
| essentialplugin | Featured Post Creative | 1.5.7 | affected |
| essentialplugin | Post grid and filter ultimate | 1.7.4 | affected |
| essentialplugin | WP Featured Content and Slider | 1.7.6 | affected |
| essentialplugin | Post Ticker Ultimate | 1.7.6 | affected |
| essentialplugin | Trending/Popular Post Slider and Widget | 1.8.6 | affected |
| essentialplugin | Meta Slider and Carousel with Lightbox | 2.0.8 | affected |
| essentialplugin | Album and Image Gallery Plus Lightbox | 2.1.8 | affected |
| essentialplugin | Timeline and History slider | 2.4.5 | affected |
| essentialplugin | WP Blog and Widgets | 2.6.6 | affected |
| essentialplugin | Countdown Timer Ultimate | 2.6.9 | affected |
| essentialplugin | Blog Designer – Post and Widget | 2.7.7 | affected |
| essentialplugin | Team Slider and Team Grid Showcase plus Team Carousel | 2.8.6 | affected |
| essentialplugin | Video gallery and Player | 2.8.7 | affected |
| essentialplugin | Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions | 2.9.1 | affected |
| essentialplugin | Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget | 3.5.6 | affected |
| essentialplugin | WP Responsive Recent Post Slider/Carousel | 3.7.1 | affected |
| essentialplugin | WP Slick Slider and Image Carousel | 3.7.8.1 | affected |
| essentialplugin | WP Logo Showcase Responsive Slider and Carousel | 3.8.7 | affected |
| essentialplugin | WP responsive FAQ with category plugin | 3.9.5 | affected |
| essentialplugin | WP News and Scrolling Widgets | 5.0.6 | affected |
Weaknesses
- CWE-506: CWE-506 Embedded Malicious Code
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve
- https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.