Over a million WordPress sites hit in plugin flaw — here's what we know

A popular WordPress plugin was found carrying two flaws that can cause data leaks.
Bleeping Computer

Hackers exploit file upload bug in Breeze Cache WordPress plugin

Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication. The security issue is ...
tech2geek

Massive WordPress Supply Chain Attack: 31 Plugins Compromised After Silent Malware Injection

A highly sophisticated supply chain attack has recently shaken the WordPress ecosystem, exposing a critical weakness in how trusted plugins are managed and updated. Unlike typical hacks that exploit ...
TechRepublic

Malicious WordPress Plugins with Backdoors Compromise Thousands of Websites

More than 30 WordPress plugins were shut down after a supply-chain backdoor compromised thousands of sites through the Essential Plugin portfolio. A web developer discovered dozens of malicious ...
TechSpot

Popular WordPress plugins backdoored after ownership change, putting thousands of websites at risk

A hot potato: WordPress plugins can significantly expand the native capabilities of the popular content management system, but they can also become a double edged sword. When malicious code finds its ...
The Next Web

Someone bought 30 WordPress plugins and planted backdoors in all of them

An attacker bought 30+ WordPress plugins (Essential Plugin portfolio) on Flippa for six figures, planted a PHP deserialization backdoor in August 2025, then activated it eight months later to serve ...
TechRadar

WordPress websites under attack — expert report says dozens of plugins hijacked to target thousands of sites

Malicious actor bought 31 WordPress plugins from Essential Plugin Updates injected backdoors, granting full site access Spam campaigns hidden from owners, C2 resolved via Ethereum smart contract A ...
cybernews

WordPress plugins taken offline after a developer found 30 injected with malicious code

Dozens of WordPress plugins have been compromised by an unknown actor who planted backdoors in popular add-ons after buying them for hundreds of thousands of dollars. WordPress developer and founder ...
TechCrunch

Someone planted backdoors in dozens of WordPress plug-ins used in thousands of websites

Dozens of plug-ins for the widely used open source web blogging software WordPress are now offline after a backdoor was discovered in them, used to push malicious code to any website that relied on ...
Blue Headlineq

30 WordPress Plugins Bought and Backdoored: The 2026 Supply Chain Attack Explained

A 2026 WordPress supply-chain attack allegedly turned 30+ sold plugins into a dormant backdoor oper… This is what a real WordPress supply chain attack looks like in 2026. It was not a typo-squatted ...
Bleeping Computer

File read flaw in Smart Slider plugin impacts 500K WordPress sites

A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server. An authenticated ...
GitHub

Remote Env File Plugin

remote-env-file loads one or more remote HTTPS .env files at build runtime and injects the parsed variables into the Jenkins build environment. It is designed for cases where configuration lives ...