Subscribe
Share
Share
Embed
Wordfence Security News is a weekly cybersecurity news podcast covering the top news stories from the world of WordPress security and the broader cybersecurity threat landscape. Hosted by cybersecurity expert and Wordfence researcher Alex Thomas.
This week on Wordfence Security News, 30 WordPress Plugins were purchased on a public marketplace and turned into backdoors. Microsoft's second largest Patch Tuesday ever includes a SharePoint Zero Day already under active exploitation. And the Shiny Hunters Extortion Group adds another major name to its site lead. This is Wordfence Security News for the week of 04/13/2026. I'm Alex Topps.
Alex Thomas:Our top WordPress story this week is a supply chain attack months in the making. A buyer acquired a portfolio of more than 30 WordPress plugins through the Flippa marketplace, planted a backdoor in all of them, and waited eight months before activating it. The portfolio belonged to a company called Essential Plugin, which had been building WordPress Plugins since 2015. After revenue declined, they listed the business on Flippa. A buyer, identified only as Chris, purchased everything for a 6 figure sum.
Alex Thomas:The buyer's very first code commit to the wordpress.org repository was a backdoor hidden inside a version tagged as a routine compatibility update. That code sat dormant until April 5 when it began activating across sites running the affected plugins. Once active, the malware injected itself into wconfig. Php and served SEO spam exclusively to Googlebot. Site owners couldn't see it by visiting their own pages.
Alex Thomas:The command and control domain was resolved through an Ethereum smart contract making it resistant to traditional domain takedowns. Wordpress.org permanently closed all 31 plugins on April 7 and forced an auto update that disabled the backdoor's phone home mechanism, but it left the plugin's malicious module in place and did not touch wp config dot php. Sites that were already infected before that update are still serving hidden spam to Googlebot. If you're running anything from the essential plugin portfolio, remove the plugin entirely and inspect wp config dot php for injected code. We'll link to the full write up from Austin Ginder at Anchor Hosting in the description.
Alex Thomas:This wasn't the only supply chain attack to hit WordPress this week. Separately, attackers compromised the update infrastructure for Smart Slider three Pro and pushed a weaponized build through the official update channel. It was live for about six hours before it was caught. Any site that updated during that window should be considered fully compromised. Only the pro version was affected.
Alex Thomas:The compromised version is three point five point one point three five. If your site installed that version, updating to the clean release is not enough. The malware installs persistence outside the plugin itself. The developer, Nextend, recommends restoring from a backup dated April 5 or earlier and treating the site as fully compromised. Wordfence Premium Care and Response users are protected through a malware signature.
Alex Thomas:Quick updates on two vulnerabilities we've been tracking. Kali Forms, which we first covered three weeks ago, continues to see heavy exploitation. We published a full threat intelligence analysis on the Wordfence blog this week and Ninja Forms file upload from last week is also seeing broadening activity with a full threat intelligence post now live on the blog as well. If you haven't patched either of those, please update. Microsoft released its April updates on Tuesday, fixing roughly a 165 vulnerabilities, making it the second largest patch Tuesday in the company's history.
Alex Thomas:Two of those are zero days. The one already under active exploitation is a spoofing vulnerability in SharePoint Server. Microsoft says it's caused by improper input validation and researchers believe it could be a cross site scripting flaw. The CVSS score is only 6.5, which doesn't look urgent on paper, but it requires no authentication. It's already being exploited and CISA added it to the known exploited vulnerabilities catalog the same day.
Alex Thomas:Tenable's Sutnam Narang pointed out that the last SharePoint spoofing zero day from July 2025 was part of the tool shell exploit chain used by ransomware and cyber espionage groups. Whether this one is related isn't known yet, but SharePoint's role as a collaboration hub makes any exploited flaw in it a priority. The second Zero Day is a privilege escalation flaw in Microsoft Defender. Microsoft's advisory doesn't reference BlueHammer by name, but multiple security firms including Tenable, CrowdStrike, and Cederes have connected it to a public exploit called BlueHammer hosted to GitHub on April 3 by a researcher using the alias Chaotic Eclipse. The researcher published the code after what they described as a breakdown in Microsoft's vulnerability disclosure process.
Alex Thomas:The exploit chains together legitimate Windows features, abusing the Defender update process through volume shadow copy to escalate a low privileged user to system. Will Dormann, a senior vulnerability analyst at Tharros, confirmed the BlueHammer exploit no longer works after applying the patch. Beyond zero days, the release also includes an unauthenticated remote code execution in Windows IKE service extensions, which researchers at Zero Day Initiative described as potentially wormable on systems with IP version six and IPSec enabled. We recommend applying patches for these issues as soon as possible. Also this week, Adobe released an emergency patch for an Acrobat reader, Zero Day, that has been exploited in the wild since at least late twenty twenty five.
Alex Thomas:The flaw was discovered after a suspicious PDF was submitted to a system called EXPMON, a sandbox based exploit detection system run by security researcher Haifei Li. The malicious PDFs used Russian language content about gas supply disruptions as lures suggesting this was used in targeted attacks. When opened, the exploit runs JavaScript that fingerprints the system and phones home to a command and control server for additional payloads. Adobe pushed the patch on April 11 and CISA added it to its known exploited vulnerabilities list on April 13. If your organization uses Acrobat or Reader, this is a high priority update.
Alex Thomas:Shifting to the broader industry, Rockstar Games confirmed this week that company data was accessed in a third party breach after the Shiny Hunters extortion group listed the studio on its leak site. Shiny Hunters is the same group that claimed the European Commission breach we covered earlier this season. In this case, Shiny Hunters says it stole authentication tokens from Anadot, a cloud analytics platform Rockstar uses, and used those tokens to access Rockstar's connected Snowflake data warehouse. No Snowflake vulnerability was exploited. The stolen tokens provided what looked like legitimate access.
Alex Thomas:After its ransom demands were not met, Shiny Hunters published what it claimed were more than 78,000,000 records on April 14. Rockstar says the exposed data was limited to internal analytics and did not include player information. And finally, a quick note on how fast the disclosure to exploitation window is closing. A critical pre authentication remote code execution flaw in Marimo, an open source Python notebook platform, was exploited within ten hours of its advisory being published. According to Sysdig, the attacker built a working exploit directly from the advisory description.
Alex Thomas:No public proof of concept existed at the time. If even a niche tool with about 20,000 GitHub stars is getting hit that fast, the window between disclosure and exploitation is effectively gone. Links to all the stories we covered today are in the description. Thanks for watching or listening, and we'll see you next week on Wordfence Security News.