Cloudflare's EmDash targets WordPress after plugin supply chain attack
An attacker purchased 31 WordPress plugins for a mid-six-figure sum on Flippa, planted dormant backdoors eight months ago, and recently activated them in a supply chain attack — prompting Cloudflare to release EmDash, an AI-written JavaScript alternative to WordPress.
Score breakdown
Developers and site owners relying on third-party WordPress plugins should audit their installed plugins for recent ownership changes, as legitimate acquisition — not just bad code — is now a proven attack vector for supply chain compromise.
- 01An attacker purchased 31 WordPress plugins on Flippa for a price estimated in the mid-six figures.
- 02Backdoors were inserted approximately 8 months before activation, sitting dormant in production.
- 03The attack was delivered via normal plugin updates from a trusted source, bypassing typical suspicion.
A supply chain attack targeting WordPress unfolded over roughly eight months after an attacker purchased a portfolio of 31 plugins from their original developer on Flippa, with the sale price estimated in the mid-six figures. Rather than exploiting a code vulnerability, the attacker used legitimate ownership to insert backdoors into the plugins, which were then distributed through normal, trusted plugin updates — bypassing the suspicion that a typical phishing attack would raise. The dormant malicious logic eventually activated, reaching out to a remote server to pull down additional payloads and, in some cases, modifying core files such as `wp-config.php`, which contains sensitive database credentials and security keys. Notably, the command-and-control domain was resolved through an Ethereum smart contract, giving the attacker the ability to quickly update the target domain at any time simply by modifying the contract.
The attack underscores a long-criticized structural weakness in WordPress: plugins are essentially PHP scripts that plug directly into a site and execute with full privileges, with no sandbox or isolation layer.
The attack underscores a long-criticized structural weakness in WordPress: plugins are essentially PHP scripts that plug directly into a site and execute with full privileges, with no sandbox or isolation layer. WordPress removed the affected plugins after the exploit became known, but the damage had already been done. The video also notes that 96% of WordPress vulnerabilities stem from its plugin system. In response to the broader WordPress security landscape, Cloudflare released a new project called EmDash — described as an AI-written JavaScript fork of WordPress — that aims to replace the platform and address its plugin security problems from the ground up.
Key facts
- 01An attacker purchased 31 WordPress plugins on Flippa for a price estimated in the mid-six figures.
- 02Backdoors were inserted approximately 8 months before activation, sitting dormant in production.
- 03The attack was delivered via normal plugin updates from a trusted source, bypassing typical suspicion.
- 04Malicious code modified core files including `wp-config.php`, which holds database credentials and security keys.
- 05The command-and-control domain was resolved through an Ethereum smart contract, enabling easy domain-switching.
- 06WordPress removed the affected plugins after the exploit was discovered.
- 07