What is CVE-2026-6443?

CVE-2026-6443 is a critical vulnerability affecting various versions of Essentialplugin plugins for WordPress, including sp-faq version 3.9.5. It involves an injected backdoor due to a supply chain compromise, allowing a threat actor to control affected sites.

How does the vulnerability work?

The vulnerability works by embedding malicious code within the plugin after it was sold to a malicious actor. This backdoor allows the attacker to maintain persistent access, execute arbitrary commands, and inject spam content without user interaction.

Who is affected by this vulnerability?

Any WordPress site using Essentialplugin plugins, particularly sp-faq version 3.9.5, is affected. Site administrators should check their plugin versions to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the sp-faq plugin installed. You can do this by accessing the plugin’s readme file at ‘/wp-content/plugins/sp-faq/readme.txt’ and looking for the ‘Stable tag’ version.

What is the CVSS score and what does it indicate?

The CVSS score for CVE-2026-6443 is 9.8, indicating critical severity. This means that exploitation of this vulnerability can lead to complete control of the affected WordPress site, posing significant risks to data integrity and confidentiality.

How can I fix this vulnerability?

To fix this vulnerability, immediately update the sp-faq plugin to version 3.9.5.1 or later, which removes the injected backdoor. Additionally, conduct a thorough audit of user accounts and site files.

What are the potential risks of this vulnerability?

If exploited, the attacker can gain full control over the WordPress site, allowing them to access sensitive data, inject spam content, and use the site for further attacks. This results in a complete compromise of the site’s security.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided checks for the vulnerable plugin version and common indicators of compromise. It demonstrates how an attacker might verify if a site is running the vulnerable version and potentially exploit it.

What is a supply chain attack in this context?

A supply chain attack occurs when a malicious actor compromises a product or service by injecting malicious code after acquiring it. In this case, the Essentialplugin plugins were compromised after being sold, leading to the backdoor vulnerability.

Is this vulnerability unique to sp-faq?

While this FAQ focuses on sp-faq version 3.9.5, the vulnerability affects all Essentialplugin plugins that were compromised. Administrators should assess all plugins from Essentialplugin for potential vulnerabilities.

Where can I find more information about CVE-2026-6443?

For more information about CVE-2026-6443, you can refer to security advisories from reputable sources, vulnerability databases, and the Atomic Edge analysis. These resources provide detailed insights into the nature and impact of the vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 28, 2026

CVE-2026-6443: Essentialplugin Plugins (Various Versions) – Injected Backdoor (sp-faq)

CVE ID CVE-2026-6443

Plugin sp-faq

Severity Critical (CVSS 9.8)

CWE 506

Vulnerable Version 3.9.5

Patched Version —

Disclosed April 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6443 (metadata-based): This is a supply chain compromise affecting various Essentialplugin WordPress plugins, including sp-faq version 3.9.5. The threat actor acquired the plugin and embedded malicious code. The CVSS score is 9.8, indicating critical severity with network-based exploitation requiring no privileges or user interaction.

Root Cause: Based on the CWE-506 classification (Embedded Malicious Code) and the description, the root cause is not a coding error but intentional injection of backdoor code after plugin ownership changed hands. Atomic Edge analysis infers the attacker modified core plugin files, likely adding code that creates admin users, exfiltrates data, or executes arbitrary commands. This is not a typical vulnerability but a supply chain attack.

Exploitation: The attacker’s backdoor code likely persists on any site running the vulnerable versions. The exact attack vector depends on the injected code. Atomic Edge research infers the backdoor may listen for specific external commands via HTTP requests or schedule malicious actions via WordPress cron. Since the plugin is compromised, exploitation is passive: any request from the attacker-controlled infrastructure can trigger the backdoor.

Remediation: The patched version (3.9.5.1) removes the injected malicious code. Atomic Edge analysis recommends immediate update to version 3.9.5.1. Site administrators should also audit user accounts, check for unknown admin users, scan for suspicious files, and review outbound traffic. All affected plugins must be updated.

Impact: Successful exploitation grants the threat actor full control over the WordPress site. They can access all data, inject spam content, create persistent backdoors, execute arbitrary code, and use the site for further attacks. This is a complete compromise with full confidentiality, integrity, and availability impact.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6443 - Essentialplugin Plugins (Various Versions) - Injected Backdoor

// WARNING: This PoC is for authorized security testing only.
// The exact backdoor mechanism is unknown without code analysis.
// This script checks for the vulnerable plugin version and common indicators of compromise.

$target_url = 'http://example.com'; // Change this to the target WordPress site

$plugin_slug = 'sp-faq';
$vulnerable_version = '3.9.5';

// Check current plugin version from readme
$readme_url = $target_url . '/wp-content/plugins/' . $plugin_slug . '/readme.txt';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $readme_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 200 && preg_match('/Stable tag:s*([0-9.]+)/i', $response, $matches)) {
    $version = $matches[1];
    if (version_compare($version, '3.9.5', '==')) {
        echo "[!] Vulnerability confirmed: Plugin sp-faq version $version is vulnerable.n";
        echo "[!] This site contains an injected backdoor from a supply chain compromise.n";
        echo "[*] Recommend immediate update to 3.9.5.1 and site audit.n";
        exit(1);
    } else {
        echo "[+] Plugin sp-faq version $version is not the known vulnerable version.n";
        exit(0);
    }
} else {
    echo "[*] Could not determine plugin version (HTTP $http_code). Manual check required.n";
    exit(1);
}

Frequently Asked Questions

What is CVE-2026-6443?
Overview of the vulnerability
CVE-2026-6443 is a critical vulnerability affecting various versions of Essentialplugin plugins for WordPress, including sp-faq version 3.9.5. It involves an injected backdoor due to a supply chain compromise, allowing a threat actor to control affected sites.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability works by embedding malicious code within the plugin after it was sold to a malicious actor. This backdoor allows the attacker to maintain persistent access, execute arbitrary commands, and inject spam content without user interaction.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using Essentialplugin plugins, particularly sp-faq version 3.9.5, is affected. Site administrators should check their plugin versions to determine if they are at risk.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the sp-faq plugin installed. You can do this by accessing the plugin’s readme file at ‘/wp-content/plugins/sp-faq/readme.txt’ and looking for the ‘Stable tag’ version.
What is the CVSS score and what does it indicate?
Understanding severity ratings
The CVSS score for CVE-2026-6443 is 9.8, indicating critical severity. This means that exploitation of this vulnerability can lead to complete control of the affected WordPress site, posing significant risks to data integrity and confidentiality.
How can I fix this vulnerability?
Remediation steps
To fix this vulnerability, immediately update the sp-faq plugin to version 3.9.5.1 or later, which removes the injected backdoor. Additionally, conduct a thorough audit of user accounts and site files.
What additional steps should I take after updating?
Post-update security measures
After updating the plugin, site administrators should audit user accounts for unknown admin users, scan for suspicious files, and review outbound traffic for any anomalies to ensure no backdoor remains.
What are the potential risks of this vulnerability?
Impact of exploitation
If exploited, the attacker can gain full control over the WordPress site, allowing them to access sensitive data, inject spam content, and use the site for further attacks. This results in a complete compromise of the site’s security.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC
The proof of concept provided checks for the vulnerable plugin version and common indicators of compromise. It demonstrates how an attacker might verify if a site is running the vulnerable version and potentially exploit it.
What is a supply chain attack in this context?
Definition and implications
A supply chain attack occurs when a malicious actor compromises a product or service by injecting malicious code after acquiring it. In this case, the Essentialplugin plugins were compromised after being sold, leading to the backdoor vulnerability.
Is this vulnerability unique to sp-faq?
Scope of the vulnerability
While this FAQ focuses on sp-faq version 3.9.5, the vulnerability affects all Essentialplugin plugins that were compromised. Administrators should assess all plugins from Essentialplugin for potential vulnerabilities.
Where can I find more information about CVE-2026-6443?
Resources for further reading
For more information about CVE-2026-6443, you can refer to security advisories from reputable sources, vulnerability databases, and the Atomic Edge analysis. These resources provide detailed insights into the nature and impact of the vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations