The week that shook the web: WordPress supply chain attacks and the Booking.com hack

The first half of April 2026 will be remembered as one of the worst weeks for web security in recent memory. Within days of each other, three major incidents unfolded: a supply chain compromise of 26+ WordPress plugins, a backdoor distributed through the official Smart Slider 3 Pro update channel, and a confirmed data breach at Booking.com. Each incident alone would be serious news — together, they paint a picture of an ecosystem where trusting "official" channels is no longer a guarantee of safety.

Attack #1: Essential Plugin — bought, waited, activated

What happened

In early 2025, a buyer known as "Kris" purchased the entire Essential Plugin portfolio (formerly WP Online Support) — 26 WordPress plugins with a combined install base in the hundreds of thousands — through Flippa for a six-figure sum. Affected plugins include Countdown Timer Ultimate (20k+ installs), Popup Anything on Click (30k+), WP Logo Showcase Responsive Slider (30k+), WP Testimonial with Widget, and many others.

The buyer gained SVN commit access on WordPress.org on May 12, 2025, and on August 8, 2025 published version 2.6.7 with an innocuous changelog entry about WordPress 6.8.2 compatibility. Hidden in that release were 191 lines of backdoor code within the existing wpos-analytics module — a PHP deserialization backdoor enabling remote code execution.

The backdoor remained dormant for eight months.

Activation: April 5–6, 2026

Between 04:22 and 11:06 UTC on April 6, the command-and-control domain analytics.essentialplugin.com began distributing payloads to every website running an infected plugin. The malware:

• dropped a file called wp-comments-posts.php into the webroot
• injected SEO spam code into wp-config.php (file size increase of ~6 KB)
• displayed infected content exclusively to Googlebot — site owners saw nothing wrong when browsing their own sites

The attacker used an Ethereum smart contract for DNS resolution of the C2 domain — a technique that makes it harder to take down the infrastructure.

WordPress.org's response

On April 7, the WordPress Plugins Review team permanently closed all 26+ plugins — one of the largest mass removals in the platform's history. The following day they force-pushed version 2.6.9.1, which adds return; statements to disable the phone-home function. However: this update does not clean wp-config.php. Anyone who was compromised remains compromised until they manually clean the file.

Sources: Patchstack, The Next Web, mySites.guru

Attack #2: Smart Slider 3 Pro — the official update channel as a weapon

What happened

The same week, a completely unrelated attack hit Smart Slider 3 Pro — a popular slider plugin with over 900,000 active installations (including enterprise sites and government portals). Here the attacker did not buy the plugin — they compromised the update infrastructure of Nextend, the company behind Smart Slider.

On April 7, 2026, the attacker replaced the legitimate version 3.5.1.35 with a backdoored build on Nextend's update servers. Every site that clicked "Update" or had automatic updates enabled received malware through the official channel.

What the malware does

According to analysis by Patchstack and BleepingComputer, the payload was far more sophisticated than the Essential Plugin attack:

• Remote code execution (RCE) — PHP eval and OS command execution via a hidden _chk GET parameter
• Hidden admin users — a user with prefix wpsvc_ and email [email protected], invisible in the admin interface
• Multi-layered persistence — mu-plugins/object-cache-helper.php, injection into theme functions.php, a file in wp-includes/
• Credential theft — site information and credentials sent to an external server (wpjs1.com)

The compromised version was available for approximately 6 hours before detection and removal. Nextend has since released clean version 3.5.1.36 and a detailed cleanup guide.

Important: Only the Pro version was affected. The free version from the WordPress.org repository was not compromised.

Sources: BleepingComputer, Patchstack, Nextend advisory

Attack #3: Booking.com — millions of travelers' data exposed

What happened

On April 12, 2026, Booking.com detected suspicious activity related to customer reservations. Two days later, TechCrunch and the BBC published confirmation: unauthorized third parties accessed customer personal data, including:

• Names, email addresses, phone numbers
• Physical addresses
• Reservation details (dates, accommodation, messages shared with properties)

Booking.com confirmed that financial data was not compromised. The company reset reservation PINs and notified affected customers by email. However, it refuses to disclose how many users were affected or from which regions.

"Reservation hijacking" — the scams that follow

Norton has dubbed these follow-on scams "reservation hijacks". Fraudsters contact Booking.com users via WhatsApp, SMS, or email, impersonate the hotel, and claim there is a payment problem. They use real reservation data — the correct hotel, dates, and contact details — which makes the scam convincing even for experienced users.

Luis Corrons, security evangelist at Norton, told the BBC: "Reservation hijack scams have been around for some time, but this new data makes them much more dangerous because it gives criminals precision."

Darren Guccione, CEO of Keeper Security: "When a breach at a platform the scale of Booking.com moves from data exfiltration to active phishing campaigns within days, it signals something more deliberate than opportunistic."

Airbnb: unconfirmed, but the VECT group is making claims

The VECT extortion group publicly named Airbnb alongside Booking.com in the same post. Separately, VECT reportedly compromised Guesty — a property management platform that integrates with both Airbnb and Booking.com — and claims to hold 4 million emails and 700 GB of exfiltrated data.

Airbnb has not confirmed any breach. This remains an unverified threat claim, but the context (a confirmed Booking.com breach in the same period, a compromised intermediary in Guesty) makes the situation serious for anyone using these platforms.

Sources: BBC, TechCrunch, Help Net Security, CyberSecurity News

What this means for WordPress site owners

Two separate supply chain attacks in the same week expose a structural weakness in the WordPress ecosystem: WordPress.org reviews new plugins but has no mechanism to vet ownership changes. Buying a plugin on Flippa grants commit access to hundreds of thousands of sites.

Immediate actions

If you use any Essential Plugin add-on:

1. Check wp-config.php — look for unexpected PHP code near the require_once ABSPATH . 'wp-settings.php' line. Infected files grow by ~6 KB.
2. Look for wp-comments-posts.php in the webroot — if it exists, the site was actively compromised.
3. Remove the plugin, clean files, and rotate all admin passwords.

If you use Smart Slider 3 Pro:

1. Check your version — if it was ever 3.5.1.35, treat the site as compromised.
2. Look for hidden admin users with the prefix wpsvc_ or email [email protected].
3. Inspect mu-plugins/, theme functions.php, and wp-includes/ for backdoor files.
4. Ideally: restore a backup from April 5 or earlier.

For Booking.com users:

1. Do not respond to messages via WhatsApp, SMS, or email requesting payment or credit card details — even if they reference your exact reservation.
2. Change your Booking.com password.
3. Verify everything exclusively through the official Booking.com app or website.
4. Booking.com will never ask for card details by phone, email, or WhatsApp.

The bigger lesson

These are not attacks on "technical people". Essential Plugin affects small businesses that installed a free countdown timer or popup. Smart Slider affects designers and agencies. Booking.com affects ordinary travelers who booked a hotel for their vacation.

The common thread: trusting a platform is not a substitute for active protection. Automatic updates matter, but without regular backups, monitoring, and an incident response plan — one compromised update can mean a total loss of control over your site.

For small businesses without an internal IT department, this is the argument for professional security management — because when a week like this happens, the question is how fast you can respond, not whether you can respond at all.