There's no reason it can't happen here especially with so many plugins being abandoned or handed over.
There is also no reason it could not have happened here earlier. Just that the installation base of WP is a lot broader, so infiltrating it is way more interesting. A bit like it was years ago with Macs vs. Windows machines: Macs were not attractive goals for malware authors as the installation base was so small.
Also, on closer look the case made seems a bit like clickbait. What happened is that someone bought a indian WP-plugin-company along with its portfolio of plugins, modified them with malware code and distributed them with customers installing the malware unknowingly as a consequence.
But: If you go back to the source blog post on anchor and read it sorrowfully it shows that we are talking about 31 plugins, all from the same company that he claims would have been infiltrated (but the author of said blog post only checked 12 and found 10 of them infiltrated):
I scanned my entire fleet and found 12 of the 26 Essential Plugin plugins installed across 22 customer sites. I patched 10 of them (one had no backdoor module, one was a different “pro” fork by the original authors).
If this has affected ~20k WP-installs in total this sounds like a lot but is in fact not too many compared to the number of wordpress installs. It is not even new, as he himself writes:
This has happened before.
In 2017, a buyer using the alias “Daley Tias” purchased the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam. That buyer went on to compromise at least 9 plugins the same way
What makes me somewhat wonder is this:
The buyer’s very first SVN commit was the backdoor.
Who is still using SVN in 2026? So the whole thing probably was not exactly bleeding edge and possibly not the most popular plugins anyway.
Given the pretty thin content the initial autor wrote it up for what seems partly to be self promotion (and made the thing bigger than it is) and then techcrunch jumped on that train and created another, even more exagerated version of it for clickbait reasons.
But indeed we do have a new kind of potential issues through AI, which could also hit here on XenForo:
• every child and his sister are able to create add ons now through AI slop. But they don't have or need to have the abilities and knowledge to even check if they are safe or at least working properly. We did see a bunch of new add on authors recently here that came out of nothing, released add ons very quickly and often enough had to push out new versions in a row very fast as it turned out that even basic functionality was not working. So obviously these add ons have been coded, but not tested before being released. How may the chances be, that this kind of add ons does contain an amount of holes like an old bucket that the authors are not aware of and neither are the customers/users?
• obviously, people w/o a history on this forum here that appear out of the blue and release add ons could be anyone, including someone with bad intentions. How many administrators do really check the code (and understand what they see) before installing an add on?
• with AI finding security issues in existing code has become very easy and can be done at scale by people who do not have own competence. Depending from their intentions this may lead to very negative effects. This is currently a huge issue expecially with many open source projects: The code is free to inspect, the projects lack man power and depend from self exploitation of the maintainers while the people digging for issues do have basically inifinite resources and do not need knowledge.
All three things are bad - and in my eyes more dangerous than the case that was made up in the blog post.
techcrunch.com
