•1 min read•from InfoQ
Attacker Bought 30 WordPress Plugins on Flippa and Backdoored All of Them
Our take
In a striking security breach, an attacker acquired over 30 WordPress plugins on Flippa for a hefty six-figure sum, embedding a PHP deserialization backdoor in the initial commit. After an eight-month waiting period, the attacker activated the backdoor across 400,000 installations, leveraging Ethereum smart contracts for command and control. This incident highlights a critical vulnerability in WordPress.org, which lacks a mechanism for reviewing plugin ownership transfers—an oversight that platforms like npm and PyPI have addressed in their security protocols.
An attacker purchased 30+ WordPress plugins on Flippa for six figures, planted a PHP deserialization backdoor in the first commit, and waited eight months before activating it across 400,000 installations. The attack used Ethereum smart contracts to resolve C2. WordPress.org has no mechanism for reviewing plugin ownership transfers, a gap that npm and PyPI addressed years ago.
By Steef-Jan WiggersRead on the original site
Open the publisher's page for the full experience
Tagged with
#natural language processing for spreadsheets#generative AI for data analysis#Excel alternatives for data analysis#rows.com#WordPress#plugins#Flippa#backdoor#PHP#deserialization#C2#Ethereum#smart contracts#installs#ownership transfers#supply chain#attacker#commit#security#npm