An attacker bought 30+ WordPress plugins (Essential Plugin portfolio) on Flippa for six figures, planted a PHP deserialization backdoor in August 2025, then activated it eight months later to serve cloaked SEO spam exclusively to Googlebot. WordPress.org closed 31 plugins on 7 April 2026. The same week, Smart Slider 3 Pro (800,000+ installations) was separately […]

This story continues at The Next Web