{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6443", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-16T18:22:16.366Z", "datePublished": "2026-04-17T06:44:49.128Z", "dateUpdated": "2026-04-21T19:53:07.705Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-21T19:53:07.705Z"}, "affected": [{"vendor": "essentialplugin", "product": "Accordion and Accordion Slider", "versions": [{"version": "1.4.6", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Portfolio and Projects", "versions": [{"version": "1.5.6", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Featured Post Creative", "versions": [{"version": "1.5.7", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Post grid and filter ultimate", "versions": [{"version": "1.7.4", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP Featured Content and Slider", "versions": [{"version": "1.7.6", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Post Ticker Ultimate", "versions": [{"version": "1.7.6", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Trending/Popular Post Slider and Widget", "versions": [{"version": "1.8.6", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Meta Slider and Carousel with Lightbox", "versions": [{"version": "2.0.8", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Album and Image Gallery Plus Lightbox", "versions": [{"version": "2.1.8", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Timeline and History slider", "versions": [{"version": "2.4.5", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP Blog and Widgets", "versions": [{"version": "2.6.6", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Countdown Timer Ultimate", "versions": [{"version": "2.6.9", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Blog Designer \u2013 Post and Widget", "versions": [{"version": "2.7.7", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Team Slider and Team Grid Showcase plus Team Carousel", "versions": [{"version": "2.8.6", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Video gallery and Player", "versions": [{"version": "2.8.7", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Popup Maker and Popup Anything \u2013 Popup for opt-ins and Lead Generation Conversions", "versions": [{"version": "2.9.1", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget", "versions": [{"version": "3.5.6", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP Responsive Recent Post Slider/Carousel", "versions": [{"version": "3.7.1", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP Slick Slider and Image Carousel", "versions": [{"version": "3.7.8.1", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP Logo Showcase Responsive Slider and Carousel", "versions": [{"version": "3.8.7", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP responsive FAQ with category plugin", "versions": [{"version": "3.9.5", "status": "affected"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP News and Scrolling Widgets", "versions": [{"version": "5.0.6", "status": "affected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites."}], "title": "Essentialplugin Plugins (Various Versions) - Injected Backdoor", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve"}, {"url": "https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-506 Embedded Malicious Code", "cweId": "CWE-506", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Eu Joe Chegne"}, {"lang": "en", "type": "finder", "value": "Damien"}], "timeline": [{"time": "2026-04-16T18:38:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-09T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T18:49:32.019393Z", "id": "CVE-2026-6443", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T18:49:42.999Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6443", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-17T18:49:32.019393Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T18:49:38.790Z"}}], "cna": {"title": "Essentialplugin Plugins (Various Versions) - Injected Backdoor", "credits": [{"lang": "en", "type": "finder", "value": "Eu Joe Chegne"}, {"lang": "en", "type": "finder", "value": "Damien"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "essentialplugin", "product": "Accordion and Accordion Slider", "versions": [{"status": "affected", "version": "1.4.6"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Portfolio and Projects", "versions": [{"status": "affected", "version": "1.5.6"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Featured Post Creative", "versions": [{"status": "affected", "version": "1.5.7"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Post grid and filter ultimate", "versions": [{"status": "affected", "version": "1.7.4"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP Featured Content and Slider", "versions": [{"status": "affected", "version": "1.7.6"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Post Ticker Ultimate", "versions": [{"status": "affected", "version": "1.7.6"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Trending/Popular Post Slider and Widget", "versions": [{"status": "affected", "version": "1.8.6"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Meta Slider and Carousel with Lightbox", "versions": [{"status": "affected", "version": "2.0.8"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Album and Image Gallery Plus Lightbox", "versions": [{"status": "affected", "version": "2.1.8"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Timeline and History slider", "versions": [{"status": "affected", "version": "2.4.5"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP Blog and Widgets", "versions": [{"status": "affected", "version": "2.6.6"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Countdown Timer Ultimate", "versions": [{"status": "affected", "version": "2.6.9"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Blog Designer \u2013 Post and Widget", "versions": [{"status": "affected", "version": "2.7.7"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Team Slider and Team Grid Showcase plus Team Carousel", "versions": [{"status": "affected", "version": "2.8.6"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Video gallery and Player", "versions": [{"status": "affected", "version": "2.8.7"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Popup Maker and Popup Anything \u2013 Popup for opt-ins and Lead Generation Conversions", "versions": [{"status": "affected", "version": "2.9.1"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget", "versions": [{"status": "affected", "version": "3.5.6"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP Responsive Recent Post Slider/Carousel", "versions": [{"status": "affected", "version": "3.7.1"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP Slick Slider and Image Carousel", "versions": [{"status": "affected", "version": "3.7.8.1"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP Logo Showcase Responsive Slider and Carousel", "versions": [{"status": "affected", "version": "3.8.7"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP responsive FAQ with category plugin", "versions": [{"status": "affected", "version": "3.9.5"}], "defaultStatus": "unaffected"}, {"vendor": "essentialplugin", "product": "WP News and Scrolling Widgets", "versions": [{"status": "affected", "version": "5.0.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-16T18:38:10.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-09T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve"}, {"url": "https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/"}], "descriptions": [{"lang": "en", "value": "All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-506", "description": "CWE-506 Embedded Malicious Code"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-21T19:53:07.705Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6443", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:53:07.705Z", "dateReserved": "2026-04-16T18:22:16.366Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-17T06:44:49.128Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites."}], "id": "CVE-2026-6443", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-04-17T07:16:03.160", "references": [{"source": "security@wordfence.com", "url": "https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-506"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Accordion and Accordion Slider", "source": "cna", "vendor": "essentialplugin"}, "product": "accordion_and_accordion_slider", "vendor": "essentialplugin"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T07:19:50.994456+00:00", "value": {"mitigation_remediation": ["Uninstall the vulnerable Essentialplugin plugins, then reinstall clean versions from the official WordPress plugin repository.", "Scan all site files, especially the plugin directories, for injected or hard\u2011coded credentials and remove any malicious code found.", "Review site users and permissions for any unauthorized accounts that may have been added by the backdoor, removing them and resetting passwords as needed."], "summary": {"action": "Immediate Patch", "impact": "Persistent backdoor and spam injection"}, "threat_synthesis": {"affected_systems": "All WordPress plugins developed by Essentialplugin, across multiple versions, are affected. The list of vulnerable products includes Accordion and Accordion Slider, Album and Image Gallery Plus Lightbox, Blog Designer \u2013 Post and Widget, Countdown Timer Ultimate, Featured Post Creative, Meta Slider and Carousel with Lightbox, Popup Maker and Popup Anything \u2013 Popup for opt\u2011ins and Lead Generation Conversions, Portfolio and Projects, Post Ticker Ultimate, Post grid and filter ultimate, Team Slider and Team Grid Showcase plus Team Carousel, Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget, Timeline and History slider, Trending/Popular Post Slider and Widget, Video gallery and Player, WP Blog and Widgets, WP Featured Content and Slider, WP Logo Showcase Responsive Slider and Carousel, WP News and Scrolling Widgets, WP Responsive Recent Post Slider/Carousel, WP Slick Slider and Image Carousel, and WP responsive FAQ with category plugin. No specific version numbers are supplied, but any version sold by Essentialplugin may be vulnerable.", "description_and_impact": "All WordPress plugins produced by Essentialplugin for WordPress have been found to contain an injected backdoor in various versions. The backdoor was introduced by a malicious threat actor who bought the plugins and inserted code that grants persistent access to the compromised sites. This represents a CWE\u2011506 vulnerability that allows attackers to persistently control the site, inject spam, or perform other malicious actions, thereby compromising site integrity and potentially extending to other vulnerable assets.", "risk_and_exploitability": "With a CVSS score of 9.8, this issue is considered critical. The EPSS score is 0.00044, indicating a very low but nonzero exploitation probability, yet the backdoor appears to have already been deployed in many sites, suggesting a significant exploitation risk. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is straightforward: sites that deploy the compromised plugin are immediately compromised, providing an attacker with a full backdoor and spam capabilities."}}}}, "created": "2026-04-17T09:00:10.725978+00:00", "updated": "2026-04-22T07:30:11.612042+00:00", "vendors": ["essentialplugin", "essentialplugin$PRODUCT$accordion_and_accordion_slider", "wordpress", "wordpress$PRODUCT$wordpress"]}