Skip to content
Hermes Codex

CVE-2026-6443: WordPress Essential Plugin Supply Chain Attack

Root Cause Analysis

Section titled “Root Cause Analysis”

The vulnerability stems from a malicious acquisition of the “Essential Plugin” portfolio. The new owner injected an arbitrary function call backdoor into the wpos-analytics module across over 30 WordPress plugins.

Key components of the backdoor:

  • fetch_ver_info(): Calls file_get_contents() on a malicious server and executes @unserialize() on the response.
  • version_info_clean(): Executes arbitrary code using values from the unserialized remote data.
  • Unauthenticated REST API endpoint: Uses permission_callback: __return_true.

The backdoor phone-home mechanism connects to analytics.essentialplugin.com, downloading a file named wp-comments-posts.php (masquerading as wp-comments-post.php), which then injects PHP code into wp-config.php.

Exploitation

Section titled “Exploitation”
  • Payload: Injected PHP code in wp-config.php serving spam links and redirects, hidden from site administrators by targeting only Googlebot.
  • C2 Mechanism: Employs an Ethereum smart contract resolved via public blockchain RPC endpoints to maintain resilience against domain takedowns.
  • Timeline: Planted in August 2025 and remained dormant for 8 months before activation in April 2026.

Forensic Artifacts

Section titled “Forensic Artifacts”

File System

  • wp-comments-posts.php (Note the plural ‘posts’).
  • wp-config.php anomalous ~6KB increase.
  • Presence of wpos-analytics/ directory.

Network

  • Traffic to analytics.essentialplugin.com.
  • Unusual requests resolving Ethereum addresses or smart contracts.

Detection

Section titled “Detection”

Sigma Rule

Section titled “Sigma Rule”
title: Potential WordPress Essential Plugin Supply Chain Attack
description: Detects malicious activity related to the Essential Plugin backdoor injection.
status: experimental
logsource:
    category: web_server
    product: wordpress
detection:
    selection:
        url|contains: '/wp-comments-posts.php'
    condition: selection
level: critical

KQL Query

Section titled “KQL Query”
WebLogs
| where RequestPath contains "wp-comments-posts.php"
| summarize count() by ClientIP, UserAgent
| order by count_ desc

Mitigation

Section titled “Mitigation”
  1. Identify all affected plugin slugs.
  2. Remove the wpos-analytics/ directory from each plugin.
  3. Clean wp-config.php of injected PHP code (commonly appended to the require_once ABSPATH . 'wp-settings.php'; line).
  4. Perform a comprehensive site audit and reset credentials.