Last week saw a second major supply chain attack on the WordPress.org plugin repository, forcing the removal of all affected plugins, each carrying a highest severity 10 out of 10 backdoor.

#1 – WordPress.org Supply Chain Attack

A critical supply chain attack has compromised multiple WordPress plugins linked to “Essential Plugin” after a silent ownership change.

A hidden backdoor activated in early April 2026, enabling large scale distribution of malicious code. The infected plugins had over 400,000 installs and were active on more than 20,000 sites.

This marks the second plugin hijack in recent weeks, signalling a growing trend of attacks targeting trusted open source tools.

All affected plugins are with the highest severity 10 out of 10 and have been removed. If you run any of the following, either update to the newer version manually, or remove them from your WordPress sites and run a full security audit.

WP Logo Showcase Responsive Slider and Carousel Plugin
Upgrade to v3.8.7.1+

Popup Anything Plugin
Upgrade to v2.9.1.1+

Countdown Timer Ultimate Plugin
Upgrade to v2.6.9.1+

WP Responsive Recent Post Slider/Carousel Plugin
Upgrade to v3.7.1.1+

WP News and Scrolling Widgets Plugin
Upgrade to v5.0.6.1+

WP Slick Slider and Image Carousel Plugin
Upgrade to v3.7.8.2+

Album and Image Gallery plus Lightbox Plugin
Upgrade to v2.1.8.1+

Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget Plugin
Upgrade to v3.5.6.1+

WP Blog and Widget Plugin
Upgrade to v2.6.6.1+

Timeline and History slider Plugin
Upgrade to v2.4.5.1+

Post grid and filter ultimate Plugin
Upgrade to v1.7.4.1+

Meta slider and carousel with lightbox Plugin
Upgrade to v2.0.8.1+

WP responsive FAQ with category Plugin
Upgrade to v3.9.5.1+

Team Slider and Team Grid Showcase plus Team Carousel Plugin
Upgrade to v2.8.6.1+

Trending/Popular Post Slider and Widget Plugin
Upgrade to v1.8.6.1+

Featured Post Creative Plugin
Upgrade to v1.5.7.1+

Portfolio and Projects Plugin
Upgrade to v1.5.6.1+

WP Featured Content and Slider Plugin
Upgrade to v1.7.6.1+

Post Ticker Ultimate Plugin
Upgrade to v1.7.6.1+

Blog Designer – Post and Widget Plugin
Upgrade to v2.7.7.1+

Video gallery and Player Plugin
Upgrade to v2.8.7.1+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

Countless sites might already be compromised via these plugins. Updating now is your fastest line of defence.

Tutor LMS Plugin
SQL Injection; 7.6/10; Update to v3.9.9+

Unlimited Elements For Elementor Plugin
Arbitrary File Download; 7.5/10; Update to v2.0.7+

CMP – Coming Soon & Maintenance Plugin
Arbitrary File Upload; 7.2/10; Update to v4.1.17+

WP Statistics Plugin
XSS; 7.1/10; Update to v14.16.5+

Royal Elementor Addons Plugin
XSS; 6.5/10; Update to v1.7.1057+

Shortcodes Ultimate Plugin
XSS; 6.5/10; Update to v7.5.0+

Kubio AI Page Builder Plugin
Broken Access Control; 5.3/10; Update to v2.7.3+

FluentForm Plugin
Broken Authentication; 5.3/10; Update to v6.2.0+

LatePoint Plugin
Sensitive Data Exposure; 5.3/10; Update to v5.4.0+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

Even the simplest plugins can become a serious risk overnight. It’s the time to act and secure your site.

WooCommerce Product Filters Plugin
PHP Object; 9.8/10; Update to v2.0.6+

Barcode Scanner with Inventory & Order Manager Plugin
Privilege Escalation; 9.8/10; Update to v1.12.0+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

#4 – Our blog: WordPress WAF Performance vs Protection Explained

WordPress has no built-in WAF. Learn which firewall architecture fits your site profile and how to configure protection without breaking checkouts or logins.

More Info →

Thanks for reading, and have a wonderful week!

Paul Goodchild
Shield Security for WordPress