CVE-2026-6443

Critical

Published: 17 April 2026

Published

17 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 18.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6443 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability in Anchor (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-3 (Malicious Code Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Compromise Software Supply Chain (T1195.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SR-11 Component Authenticity good match

prevent

Verifies the authenticity of software components such as WordPress plugins prior to installation, directly preventing deployment of tampered plugins containing supply chain-embedded backdoors.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection mechanisms to scan for and eradicate embedded backdoors like those in Essentialplugin WordPress plugins.

CM-11 User-installed Software good match

prevent

Controls and scans user-installed software to prevent and detect installation of compromised third-party plugins from untrusted sources.

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.

attack.mitre.org →

T1100 Web Shell Persistence

A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network.

attack.mitre.org →

Why these techniques?

The CVE describes a supply chain compromise (T1195.002) where a backdoor was embedded in WordPress plugins, directly enabling remote persistent access via web shell (T1100) with no authentication required.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This…

makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

Deeper analysisAI

CVE-2026-6443, published on 2026-04-17, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) classified under CWE-506 (Embedded Malicious Code). It affects all plugins by Essentialplugin for WordPress across various versions. The vulnerability arises from the plugins being sold to a malicious threat actor, who embedded a backdoor into all acquired plugins.

The threat actor can exploit this backdoor remotely against any site running the affected plugins, requiring no authentication, privileges, or user interaction. Exploitation enables the actor to maintain persistent access to the site and inject spam, with potential for high-impact compromise of confidentiality, integrity, and availability.

Advisories linked to this CVE, including those from Wordfence and Anchor.host, provide further details on the incident; practitioners should consult these references for recommended mitigations such as plugin removal or updates where available.