Cyber Resilience

CVE-2026-6443

CriticalRCE

Published: 17 April 2026

Published
17 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0050 38.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6443 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability in Anchor (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2026-6443, published on 2026-04-17, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-506 (Embedded Malicious Code). It affects all plugins by Essentialplugin for WordPress across various versions. The vulnerability arises from the plugins being sold to a malicious threat actor, who embedded a backdoor into all acquired plugins.

The threat actor can exploit this backdoor remotely against any site running the affected plugins, requiring no authentication, privileges, or user interaction. Exploitation enables the actor to maintain persistent access to the site and inject spam, with potential for high-impact compromise of confidentiality, integrity, and availability.

Advisories linked to this CVE, including those from Wordfence and Anchor.host, provide further details on the incident; practitioners should consult these references for recommended mitigations such as plugin removal or updates where available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This…

more

makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The CVE describes a supply chain compromise (T1195.002) where a backdoor was embedded in WordPress plugins, directly enabling remote persistent access via web shell (T1100) with no authentication required.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8398Shared CWE-506
CVE-2025-59374Shared CWE-506
CVE-2026-48027Shared CWE-506
CVE-2026-34424Shared CWE-506
CVE-2026-45321Shared CWE-506
CVE-2025-30066Shared CWE-506
CVE-2026-33634Shared CWE-506
CVE-2024-3094Shared CWE-506
CVE-2025-30154Shared CWE-506
CVE-2026-31976Shared CWE-506

Affected Assets

Anchor
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Verifies the authenticity of software components such as WordPress plugins prior to installation, directly preventing deployment of tampered plugins containing supply chain-embedded backdoors.

preventdetect

Deploys malicious code protection mechanisms to scan for and eradicate embedded backdoors like those in Essentialplugin WordPress plugins.

prevent

Controls and scans user-installed software to prevent and detect installation of compromised third-party plugins from untrusted sources.

References