WordPress.org plugins created admin backdoors

This incident was not a vulnerable plugin being exploited after release. It was an official repository problem: code shipped from WordPress.org carried commits that the project determined were not made by the plugin authors. That puts it squarely in the supply-chain line, where the distribution path itself hands users the backdoor.

The affected plugins were AddThis, WPtouch, and W3 Total Cache, all common enough that a brief malicious update window mattered. The WordPress team described the changes as disguised backdoors, rolled them back, pushed clean versions, and shut down plugin repository access while checking for anything else suspicious.

The public guidance was practical and terse. Anyone who used those plugins and might have updated during the previous day was told to visit the updates page and install the latest clean versions. WordPress.org also forced password resets across WordPress.org, bbPress.org, and BuddyPress.org because the root cause was still under investigation.

The event belongs next to, but separate from, the 2007 WordPress core archive compromise. In 2007 the official core download was altered; in 2011 the plugin repository carried malicious commits into specific third-party plugin releases. Both are official distribution failures, but the artifact scopes are different.

Motive

Unauthorized Access Control

Cause

Compromised Repository Access

Transitive

No

• Passwords Resetwordpress.org
• Malicious software downloads invade WordPresstheregister.com