31 WordPress Plugins, One Flippa Sale, and an 8-Month Time Bomb
In April 2026, WordPress.org closed 31 plugins after an attacker bought a trusted plugin portfolio on Flippa, shipped a dormant PHP deserialization backdoor, and activated it eight months later — with command-and-control resolved through an Ethereum smart contract. This post breaks down how the attack actually worked, why 96% of WordPress vulnerabilities live in plugins, and how Cloudflare's new EmDash CMS attempts to fix the architecture with capability-scoped sandboxes.
WordPressSupply Chain AttackSecurity
