Security researchers uncovered disturbing backdoor injections in popular WordPress plug-ins following corporate acquisitions. At least 30 commonly used extensions were found containing malicious code after changing hands, creating secret entry points that exposed thousands of websites to data theft risks. The compromised plug-ins remained available after ownership transfers, with site operators installing what appeared to be legitimate updates but were actually Trojan-horse versions designed to infiltrate their systems.

This operation suggests an orchestrated campaign rather than isolated incidents, raising serious questions about plug-in marketplace security and vetting procedures. WordPress security experts recommend site administrators audit all plug-ins, especially those recently acquired by new companies, and implement additional monitoring to detect unauthorized access. The incident highlights the vulnerability inherent in the WordPress ecosystem's heavy reliance on third-party extensions.