Description
All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Published: 2026-04-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Persistent backdoor and spam injection
Action: Immediate Patch
AI Analysis

Impact

All WordPress plugins produced by Essentialplugin for WordPress have been found to contain an injected backdoor in various versions. The backdoor was introduced by a malicious threat actor who bought the plugins and inserted code that grants persistent access to the compromised sites. This represents a CWE‑506 vulnerability that allows attackers to persistently control the site, inject spam, or perform other malicious actions, thereby compromising site integrity and potentially extending to other vulnerable assets.

Affected Systems

All WordPress plugins developed by Essentialplugin, across multiple versions, are affected. The list of vulnerable products includes Accordion and Accordion Slider, Album and Image Gallery Plus Lightbox, Blog Designer – Post and Widget, Countdown Timer Ultimate, Featured Post Creative, Meta Slider and Carousel with Lightbox, Popup Maker and Popup Anything – Popup for opt‑ins and Lead Generation Conversions, Portfolio and Projects, Post Ticker Ultimate, Post grid and filter ultimate, Team Slider and Team Grid Showcase plus Team Carousel, Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget, Timeline and History slider, Trending/Popular Post Slider and Widget, Video gallery and Player, WP Blog and Widgets, WP Featured Content and Slider, WP Logo Showcase Responsive Slider and Carousel, WP News and Scrolling Widgets, WP Responsive Recent Post Slider/Carousel, WP Slick Slider and Image Carousel, and WP responsive FAQ with category plugin. No specific version numbers are supplied, but any version sold by Essentialplugin may be vulnerable.

Risk and Exploitability

With a CVSS score of 9.8, this issue is considered critical. The EPSS score is 0.00044, indicating a very low but nonzero exploitation probability, yet the backdoor appears to have already been deployed in many sites, suggesting a significant exploitation risk. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is straightforward: sites that deploy the compromised plugin are immediately compromised, providing an attacker with a full backdoor and spam capabilities.

Generated by OpenCVE AI on April 22, 2026 at 07:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Uninstall the vulnerable Essentialplugin plugins, then reinstall clean versions from the official WordPress plugin repository.
  • Scan all site files, especially the plugin directories, for injected or hard‑coded credentials and remove any malicious code found.
  • Review site users and permissions for any unauthorized accounts that may have been added by the backdoor, removing them and resetting passwords as needed.

Generated by OpenCVE AI on April 22, 2026 at 07:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites. All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Title Accordion and Accordion Slider 1.4.6 - Injected Backdoor Essentialplugin Plugins (Various Versions) - Injected Backdoor

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Essentialplugin
Essentialplugin accordion And Accordion Slider
Wordpress
Wordpress wordpress
Vendors & Products Essentialplugin
Essentialplugin accordion And Accordion Slider
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Title Accordion and Accordion Slider 1.4.6 - Injected Backdoor
Weaknesses CWE-506
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Essentialplugin Accordion And Accordion Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-21T19:53:07.705Z

Reserved: 2026-04-16T18:22:16.366Z

Link: CVE-2026-6443

cve-icon Vulnrichment

Updated: 2026-04-17T18:49:38.790Z

cve-icon NVD

Status : Deferred

Published: 2026-04-17T07:16:03.160

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-6443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:30:11Z

Weaknesses