9.8

CVE-2026-6443

Essentialplugin Plugins (Various Versions) - Injected Backdoor

Essentialplugin Plugins (Various Versions) - Injected Backdoor

All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Mögliche Gegenmaßnahme
Accordion and Accordion Slider: Update to version 1.4.6.1, or a newer patched version
Album and Image Gallery Plus Lightbox: Update to version 2.1.8.1, or a newer patched version
Blog Designer – Post and Widget: Update to version 2.7.7.1, or a newer patched version
Countdown Timer Ultimate: Update to version 2.6.9.1, or a newer patched version
Featured Post Creative: Update to version 1.5.7.1, or a newer patched version
Video gallery and Player: Update to version 2.8.7.1, or a newer patched version
Meta Slider and Carousel with Lightbox: Update to version 2.0.8.1, or a newer patched version
Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions: Update to version 2.9.1.1, or a newer patched version
Portfolio and Projects: Update to version 1.5.6.1, or a newer patched version
Post grid and filter ultimate: Update to version 1.7.4.1, or a newer patched version
WP responsive FAQ with category plugin: Update to version 3.9.5.1, or a newer patched version
WP News and Scrolling Widgets: Update to version 5.0.6.1, or a newer patched version
Post Ticker Ultimate: Update to version 1.7.6.1, or a newer patched version
Timeline and History slider: Update to version 2.4.5.1, or a newer patched version
WP Blog and Widgets: Update to version 2.6.6.1, or a newer patched version
WP Featured Content and Slider: Update to version 1.7.6.1, or a newer patched version
WP Logo Showcase Responsive Slider and Carousel: Update to version 3.8.7.1, or a newer patched version
WP Responsive Recent Post Slider/Carousel: Update to version 3.7.1.1, or a newer patched version
WP Slick Slider and Image Carousel: Update to version 3.7.8.2, or a newer patched version
Team Slider and Team Grid Showcase plus Team Carousel: Update to version 2.8.6.1, or a newer patched version
Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget: Update to version 3.5.6.1, or a newer patched version
Trending/Popular Post Slider and Widget: Update to version 1.8.6.1, or a newer patched version
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstelleressentialplugin
Produkt Accordion and Accordion Slider
Default Statusunaffected
Version 1.4.6
Status affected
Herstelleressentialplugin
Produkt Portfolio and Projects
Default Statusunaffected
Version 1.5.6
Status affected
Herstelleressentialplugin
Produkt Featured Post Creative
Default Statusunaffected
Version 1.5.7
Status affected
Herstelleressentialplugin
Produkt Post grid and filter ultimate
Default Statusunaffected
Version 1.7.4
Status affected
Herstelleressentialplugin
Produkt WP Featured Content and Slider
Default Statusunaffected
Version 1.7.6
Status affected
Herstelleressentialplugin
Produkt Post Ticker Ultimate
Default Statusunaffected
Version 1.7.6
Status affected
Herstelleressentialplugin
Produkt Trending/Popular Post Slider and Widget
Default Statusunaffected
Version 1.8.6
Status affected
Herstelleressentialplugin
Produkt Meta Slider and Carousel with Lightbox
Default Statusunaffected
Version 2.0.8
Status affected
Herstelleressentialplugin
Produkt Album and Image Gallery Plus Lightbox
Default Statusunaffected
Version 2.1.8
Status affected
Herstelleressentialplugin
Produkt Timeline and History slider
Default Statusunaffected
Version 2.4.5
Status affected
Herstelleressentialplugin
Produkt WP Blog and Widgets
Default Statusunaffected
Version 2.6.6
Status affected
Herstelleressentialplugin
Produkt Countdown Timer Ultimate
Default Statusunaffected
Version 2.6.9
Status affected
Herstelleressentialplugin
Produkt Blog Designer – Post and Widget
Default Statusunaffected
Version 2.7.7
Status affected
Herstelleressentialplugin
Produkt Team Slider and Team Grid Showcase plus Team Carousel
Default Statusunaffected
Version 2.8.6
Status affected
Herstelleressentialplugin
Produkt Video gallery and Player
Default Statusunaffected
Version 2.8.7
Status affected
Herstelleressentialplugin
Produkt Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions
Default Statusunaffected
Version 2.9.1
Status affected
Herstelleressentialplugin
Produkt Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
Default Statusunaffected
Version 3.5.6
Status affected
Herstelleressentialplugin
Produkt WP Responsive Recent Post Slider/Carousel
Default Statusunaffected
Version 3.7.1
Status affected
Herstelleressentialplugin
Produkt WP Slick Slider and Image Carousel
Default Statusunaffected
Version 3.7.8.1
Status affected
Herstelleressentialplugin
Produkt WP Logo Showcase Responsive Slider and Carousel
Default Statusunaffected
Version 3.8.7
Status affected
Herstelleressentialplugin
Produkt WP responsive FAQ with category plugin
Default Statusunaffected
Version 3.9.5
Status affected
Herstelleressentialplugin
Produkt WP News and Scrolling Widgets
Default Statusunaffected
Version 5.0.6
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Accordion and Accordion Slider
Version 1.4.6
SystemWordPress Plugin
Produkt Album and Image Gallery Plus Lightbox
Version 2.1.8
SystemWordPress Plugin
Produkt Blog Designer – Post and Widget
Version 2.7.7
SystemWordPress Plugin
Produkt Countdown Timer Ultimate
Version 2.6.9
SystemWordPress Plugin
Produkt Featured Post Creative
Version 1.5.7
SystemWordPress Plugin
Produkt Video gallery and Player
Version 2.8.7
SystemWordPress Plugin
Produkt Meta Slider and Carousel with Lightbox
Version 2.0.8
SystemWordPress Plugin
Produkt Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions
Version 2.9.1
SystemWordPress Plugin
Produkt Portfolio and Projects
Version 1.5.6
SystemWordPress Plugin
Produkt Post grid and filter ultimate
Version 1.7.4
SystemWordPress Plugin
Produkt WP responsive FAQ with category plugin
Version 3.9.5
SystemWordPress Plugin
Produkt WP News and Scrolling Widgets
Version 5.0.6
SystemWordPress Plugin
Produkt Post Ticker Ultimate
Version 1.7.6
SystemWordPress Plugin
Produkt Timeline and History slider
Version 2.4.5
SystemWordPress Plugin
Produkt WP Blog and Widgets
Version 2.6.6
SystemWordPress Plugin
Produkt WP Featured Content and Slider
Version 1.7.6
SystemWordPress Plugin
Produkt WP Logo Showcase Responsive Slider and Carousel
Version 3.8.7
SystemWordPress Plugin
Produkt WP Responsive Recent Post Slider/Carousel
Version 3.7.1
SystemWordPress Plugin
Produkt WP Slick Slider and Image Carousel
Version 3.7.8.1
SystemWordPress Plugin
Produkt Team Slider and Team Grid Showcase plus Team Carousel
Version 2.8.6
SystemWordPress Plugin
Produkt Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget
Version 3.5.6
SystemWordPress Plugin
Produkt Trending/Popular Post Slider and Widget
Version 1.8.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.5% 0.385
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@wordfence.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-506 Embedded Malicious Code

The product contains code that appears to be malicious in nature.

https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve
https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba
Third Party Advisory