CVE-2026-6443

Published: Apr 17, 2026

Modified: Apr 21, 2026

PUBLISHED

CVSS v3.1

9.8

CRITICAL

Description

All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

Vendor	Product	Versions
essentialplugin	Accordion and Accordion Slider	affected `1.4.6`
essentialplugin	Portfolio and Projects	affected `1.5.6`
essentialplugin	Featured Post Creative	affected `1.5.7`
essentialplugin	Post grid and filter ultimate	affected `1.7.4`
essentialplugin	WP Featured Content and Slider	affected `1.7.6`
essentialplugin	Post Ticker Ultimate	affected `1.7.6`
essentialplugin	Trending/Popular Post Slider and Widget	affected `1.8.6`
essentialplugin	Meta Slider and Carousel with Lightbox	affected `2.0.8`
essentialplugin	Album and Image Gallery Plus Lightbox	affected `2.1.8`
essentialplugin	Timeline and History slider	affected `2.4.5`
essentialplugin	WP Blog and Widgets	affected `2.6.6`
essentialplugin	Countdown Timer Ultimate	affected `2.6.9`
essentialplugin	Blog Designer – Post and Widget	affected `2.7.7`
essentialplugin	Team Slider and Team Grid Showcase plus Team Carousel	affected `2.8.6`
essentialplugin	Video gallery and Player	affected `2.8.7`
essentialplugin	Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions	affected `2.9.1`
essentialplugin	Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget	affected `3.5.6`
essentialplugin	WP Responsive Recent Post Slider/Carousel	affected `3.7.1`
essentialplugin	WP Slick Slider and Image Carousel	affected `3.7.8.1`
essentialplugin	WP Logo Showcase Responsive Slider and Carousel	affected `3.8.7`
essentialplugin	WP responsive FAQ with category plugin	affected `3.9.5`
essentialplugin	WP News and Scrolling Widgets	affected `5.0.6`

Weaknesses (CWE)

CWE-506

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve

https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-6443

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References