WordPress plugin hijacking represents a new frontier in supply-chain attacks, where a malicious actor acquired a struggling plugin company and systematically injected malware into dozens of its products, compromising thousands of WordPress sites in the process. This acquisition-based approach sidesteps traditional vulnerability discovery and patches, instead weaponizing trusted software distribution channels that site owners rely on for updates.
Key Takeaways
- A malicious actor acquired a struggling WordPress plugin company and injected malware into multiple products.
- WordPress plugin vulnerabilities increased 42% in 2025, reaching 11,334 new flaws.
- Attackers exploit newly disclosed vulnerabilities in a median of 5 hours.
- Plugins account for 91% of WordPress ecosystem vulnerabilities, far exceeding theme and core flaws.
- Q4 2025 saw WordPress attacks nearly triple due to holiday surge.
How Plugin Hijacking Differs From Traditional WordPress Attacks
WordPress plugin hijacking bypasses the normal vulnerability disclosure timeline. Rather than waiting for security researchers to find flaws and for developers to patch them, attackers gain direct control of the software distribution mechanism itself. When a malicious actor acquires a plugin company, every update pushed through official channels carries embedded malware, reaching thousands of sites automatically. This is fundamentally different from exploiting a known vulnerability, which at least gives site owners a narrow window to patch before attacks begin.
Traditional WordPress attacks rely on either credential compromise or known plugin flaws. Attackers use brute force and credential stuffing to gain admin access, or they exploit publicly disclosed vulnerabilities in plugins. The WordPress plugin hijacking campaign collapses this timeline entirely—the malware arrives as a legitimate update from a trusted vendor, making detection and attribution far more difficult. Site owners who keep their plugins updated, normally a best practice, become the targets instead of the protected.
The Scale of WordPress Vulnerability Growth in 2025
WordPress faces an unprecedented vulnerability crisis. Patchstack identified 11,334 new vulnerabilities in the WordPress ecosystem during 2025, a 42% increase from 7,966 flaws in 2024. This explosion is not evenly distributed—91% of these vulnerabilities exist in plugins, 9% in themes, and only 6 in WordPress core, none of which were rated high priority. The concentration of risk in plugins explains why the plugin hijacking campaign is so effective: it targets the weakest link in the WordPress security chain.
The speed at which attackers weaponize these flaws compounds the problem. According to Patchstack’s analysis, attackers exploit newly disclosed vulnerabilities in a median of 5 hours for heavily targeted flaws. This means site owners have less than a working day to identify, test, and deploy patches before active exploitation begins. For a small business running WordPress on a tight IT budget, this timeline is often impossible to meet.
WordPress Plugin Hijacking Within Broader Attack Patterns
The plugin hijacking campaign arrives as WordPress attacks accelerate across the board. WordPress powers over 40% of the web and faces approximately 90,000 attacks per minute. During Q4 2025, attacks nearly tripled due to the holiday surge, when many site owners reduce monitoring and patch deployment. This timing is not coincidental—attackers deliberately escalate campaigns when security teams are stretched thin.
Historical precedent shows how effective plugin-based compromise can be. A Popup Builder exploit (CVE-2023-6000) infected over 6,700 sites earlier in a related campaign. A separate King Addons vulnerability saw approximately 50,000 exploit attempts after roughly one month of disclosure. These numbers illustrate the velocity and scale at which plugin flaws translate into active compromises. The plugin hijacking campaign, operating through trusted update channels, likely achieves infection rates that dwarf these earlier incidents.
Broken Access Control ranks as the most commonly exploited vulnerability class in WordPress plugins, followed by credential-based attacks using brute force and credential stuffing. The plugin hijacking approach bypasses both of these vectors—it does not rely on weak credentials or access control flaws, but instead on the trust users place in software updates themselves.
Why Plugin Vulnerabilities Remain the Dominant Attack Vector
Plugins are WordPress’s greatest strength and its greatest liability. They extend functionality without requiring core modifications, allowing site owners to add features without coding. But this extensibility comes with a security cost: plugins are developed by thousands of independent authors with varying levels of security expertise and resources. A struggling plugin company, the kind vulnerable to acquisition by a malicious actor, often lacks the budget for security audits or dedicated staff to monitor for threats.
Site owners cannot simply avoid plugins—modern WordPress sites typically rely on dozens of them for essential functions like SEO, caching, forms, and backups. This dependency creates the conditions for the hijacking campaign to succeed. When an acquired plugin company pushes updates, site owners install them reflexively, often with automated update systems enabled. The attack surface is enormous, and the attack vector is invisible until compromise is already underway.
Defending Against WordPress Plugin Hijacking
Traditional security practices—keeping software updated, using strong credentials, limiting admin access—become double-edged swords in a plugin hijacking scenario. Site owners who follow best practices and enable automatic updates are precisely the ones most exposed to compromised plugins. This creates a paradox: the safest practice becomes the most dangerous one.
Site owners should audit their plugin inventory and remove unused plugins immediately. Each installed plugin represents a potential acquisition target or vulnerability vector. For essential plugins, consider switching to alternatives with larger teams and more transparent security processes. Monitor plugin updates carefully before deploying them, rather than relying on automatic installation. Enable security monitoring and file integrity checks to detect unexpected changes to plugin files. These steps are labor-intensive but necessary in an environment where trusted update channels have become attack vectors.
Is WordPress plugin hijacking affecting my site right now?
If your site uses plugins from a company you have never heard of or rarely interact with, and you have not monitored recent updates, there is a meaningful risk of compromise. Check your WordPress admin panel for recently installed or updated plugins, and cross-reference them against your intentional plugin list. If unfamiliar plugins appear, disable and remove them immediately, then run a security scan. Look for unexpected admin accounts or suspicious file modifications in your plugin directories.
How can I prevent plugin hijacking if I rely on many plugins?
Use a WordPress security plugin that monitors file integrity and alerts you to unexpected changes. Disable automatic plugin updates and review each update manually before installation. Maintain a documented list of approved plugins and their expected versions. Consider using a staging environment to test plugin updates before deploying them to your live site. These practices add friction but eliminate the blind spot that plugin hijacking exploits.
What should I do if I discover a compromised plugin?
Immediately disable and delete the plugin. Change all WordPress admin passwords and API keys. Run a full security scan using a reputable security scanner. Check your user accounts for unauthorized admin additions. Review your server logs for suspicious access patterns. Consider engaging a security professional to verify that no persistent backdoor was installed. The longer a compromised plugin runs, the deeper an attacker can embed themselves in your infrastructure.
WordPress plugin hijacking is not a vulnerability in code—it is a vulnerability in trust. Site owners have learned to trust automatic updates as a security best practice, and attackers are now exploiting that trust at scale. Until the WordPress ecosystem develops better mechanisms for vetting plugin acquisitions and monitoring supply-chain integrity, this attack vector will remain one of the most effective threats facing WordPress sites worldwide.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
