Essentialplugin Plugins (Various Versions) - Injected Backdoor

Summary

CVE	CVE-2026-6443
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-17 07:16:03 UTC
Updated	2026-04-22 20:22:50 UTC
Description	All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

Risk And Classification

Primary CVSS: v3.1 9.8 CRITICAL from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000440000 probability, percentile 0.136290000 (date 2026-04-22)

Problem Types: CWE-506 | CWE-506 CWE-506 Embedded Malicious Code

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Secondary	9.8	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	9.8	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Essentialplugin	Accordion And Accordion Slider	affected 1.4.6	Not specified
CNA	Essentialplugin	Portfolio And Projects	affected 1.5.6	Not specified
CNA	Essentialplugin	Featured Post Creative	affected 1.5.7	Not specified
CNA	Essentialplugin	Post Grid And Filter Ultimate	affected 1.7.4	Not specified
CNA	Essentialplugin	WP Featured Content And Slider	affected 1.7.6	Not specified
CNA	Essentialplugin	Post Ticker Ultimate	affected 1.7.6	Not specified
CNA	Essentialplugin	Trending/Popular Post Slider And Widget	affected 1.8.6	Not specified
CNA	Essentialplugin	Meta Slider And Carousel With Lightbox	affected 2.0.8	Not specified
CNA	Essentialplugin	Album And Image Gallery Plus Lightbox	affected 2.1.8	Not specified
CNA	Essentialplugin	Timeline And History Slider	affected 2.4.5	Not specified
CNA	Essentialplugin	WP Blog And Widgets	affected 2.6.6	Not specified
CNA	Essentialplugin	Countdown Timer Ultimate	affected 2.6.9	Not specified
CNA	Essentialplugin	Blog Designer Post And Widget	affected 2.7.7	Not specified
CNA	Essentialplugin	Team Slider And Team Grid Showcase Plus Team Carousel	affected 2.8.6	Not specified
CNA	Essentialplugin	Video Gallery And Player	affected 2.8.7	Not specified
CNA	Essentialplugin	Popup Maker And Popup Anything Popup For Opt-ins And Lead Generation Conversions	affected 2.9.1	Not specified
CNA	Essentialplugin	Testimonial Grid And Testimonial Slider Plus Carousel With Rotator Widget	affected 3.5.6	Not specified
CNA	Essentialplugin	WP Responsive Recent Post Slider/Carousel	affected 3.7.1	Not specified
CNA	Essentialplugin	WP Slick Slider And Image Carousel	affected 3.7.8.1	Not specified
CNA	Essentialplugin	WP Logo Showcase Responsive Slider And Carousel	affected 3.8.7	Not specified
CNA	Essentialplugin	WP Responsive FAQ With Category Plugin	affected 3.9.5	Not specified
CNA	Essentialplugin	WP News And Scrolling Widgets	affected 5.0.6	Not specified

References

Reference	Source	Link	Tags
www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f4236...	[email protected]	www.wordfence.com
anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in...	[email protected]	anchor.host
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Eu Joe Chegne (en)

CNA: Damien (en)

Additional Advisory Data

Source	Time	Event
CNA	2026-04-16T18:38:10.000Z	Vendor Notified
CNA	2026-04-09T00:00:00.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.