Home

Description

All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

PUBLISHED Reserved 2026-04-16 | Published 2026-04-17 | Updated 2026-04-21 | Assigner Wordfence




CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-506 Embedded Malicious Code

Product status

Default status
unaffected

1.4.6
affected

Default status
unaffected

1.5.6
affected

Default status
unaffected

1.5.7
affected

Default status
unaffected

1.7.4
affected

Default status
unaffected

1.7.6
affected

Default status
unaffected

1.7.6
affected

Default status
unaffected

1.8.6
affected

Default status
unaffected

2.0.8
affected

Default status
unaffected

2.1.8
affected

Default status
unaffected

2.4.5
affected

Default status
unaffected

2.6.6
affected

Default status
unaffected

2.6.9
affected

Default status
unaffected

2.7.7
affected

Default status
unaffected

2.8.6
affected

Default status
unaffected

2.8.7
affected

Default status
unaffected

2.9.1
affected

Default status
unaffected

3.5.6
affected

Default status
unaffected

3.7.1
affected

Default status
unaffected

3.7.8.1
affected

Default status
unaffected

3.8.7
affected

Default status
unaffected

3.9.5
affected

Default status
unaffected

5.0.6
affected

Timeline

2026-04-16:Vendor Notified
2026-04-09:Disclosed

Credits

Eu Joe Chegne finder

Damien finder

References

www.wordfence.com/...-9a39-4e46-b153-f42366f833ba?source=cve

anchor.host/...lugins-and-planted-a-backdoor-in-all-of-them/

cve.org (CVE-2026-6443)

nvd.nist.gov (CVE-2026-6443)

Download JSON