CRITICALCVE-2026-6443Published Modified CNA Wordfence
CVE-2026-6443: Essentialplugin Plugins (Various Versions) - Injected Backdoor
All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 22
Affected packages
- essentialplugin / Accordion and Accordion Slider1.4.6
- essentialplugin / Portfolio and Projects1.5.6
- essentialplugin / Featured Post Creative1.5.7
- essentialplugin / Post grid and filter ultimate1.7.4
- essentialplugin / WP Featured Content and Slider1.7.6
- essentialplugin / Post Ticker Ultimate1.7.6
- essentialplugin / Trending/Popular Post Slider and Widget1.8.6
- essentialplugin / Meta Slider and Carousel with Lightbox2.0.8
- essentialplugin / Album and Image Gallery Plus Lightbox2.1.8
- essentialplugin / Timeline and History slider2.4.5
- essentialplugin / WP Blog and Widgets2.6.6
- essentialplugin / Countdown Timer Ultimate2.6.9
- essentialplugin / Blog Designer – Post and Widget2.7.7
- essentialplugin / Team Slider and Team Grid Showcase plus Team Carousel2.8.6
- essentialplugin / Video gallery and Player2.8.7
- essentialplugin / Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions2.9.1
- essentialplugin / Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget3.5.6
- essentialplugin / WP Responsive Recent Post Slider/Carousel3.7.1
- essentialplugin / WP Slick Slider and Image Carousel3.7.8.1
- essentialplugin / WP Logo Showcase Responsive Slider and Carousel3.8.7
- essentialplugin / WP responsive FAQ with category plugin3.9.5
- essentialplugin / WP News and Scrolling Widgets5.0.6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences