The Marketplace Attack
The attack was elegant in its simplicity. An attacker purchased 30+ WordPress plugins on Flippa — a legitimate digital marketplace where developers buy and sell software projects. Combined installed base: 400,000 WordPress sites. The purchase price: a six-figure sum. The return on investment: access to push code to 400,000 sites with no security review, no code signing, and no ownership transfer audit.
The first malicious commit landed August 8, 2025. The commit message: 'Check compatibility with WordPress version 6.8.2.' A routine-looking maintenance update. It sat dormant for eight months.
The Activation
On April 5-6, 2026, the dormant code activated. The payload: cloaked SEO spam injected exclusively into responses served to Googlebot. Site owners saw nothing — the malicious content was invisible to human visitors. Only Google's crawler saw the spam. Only Google's index was poisoned. The sites appeared normal while their search rankings were hijacked.
WordPress.org permanently closed all 31 plugins in a single day once the attack was discovered. But the 8-month dormancy window meant the backdoored versions had been distributed, cached in backups, and normalized through months of seemingly legitimate updates.
The Structural Gap
WordPress has no mechanism to review plugin ownership transfers. No code signing requirement for updates. No mandatory security review when a plugin changes hands. You can buy a plugin on Tuesday and push new code to every installation on Wednesday. The WordPress.org plugin directory — the trusted distribution channel — treats the new owner exactly like the old one.
This is structurally different from npm, where package transfers at least leave an audit trail and where organizations can use lockfiles and SRI hashes. It's structurally different from Go modules, where the source is pinned to a specific repository commit. WordPress plugins update through a centralized directory with implicit trust in the publisher identity. Change the identity, keep the trust.
The Plugin Roulette Gets Worse
WebPulse's Plugin Roulette analysis documented the risk of 27 plugins per average WordPress site — 27 independent codebases you don't control. The Flippa attack adds a dimension: you also don't control who owns those codebases. A plugin that was safe when you installed it can be purchased by an attacker and weaponized months later. Your lockfile doesn't help because WordPress doesn't have lockfiles. Your audit trail doesn't help because WordPress doesn't track ownership transfers.
The 60,000 plugins in the WordPress directory are not just code. They're assets on a marketplace. And when security is an asset, it can be bought.
