#267 - Backdoor In Plugins, Contact Form 7 Feature Freeze, WC India Announced

Issue #267 | April 14, 2026 | Reading time: 21 mins

Hello!

This week on The WP Week Newsletter, we’re diving into the recent supply chain attack where an attacker planted a backdoor in 30+ plugins, Contact Form 7 set to enter feature freeze, WordCamp Asia 2027 to take place in Malaysia, the announcement of WordCamp India, new projects, and more.

We were at WC Asia last week—big thanks to everyone who stopped by, caught up with us, and had such kind things to say about our newsletter. We have shared the pics here.

Don’t forget to subscribe and listen to the podcast version of this newsletter, where you can hear more details and discussions about these topics and more.

New around here? Don’t miss the next issue, sign up now. Got something to share – connect with us.

See you next week!

Team WP-CONTENT.CO

🙌 This weekly newsletter is kindly sponsored by ProfilePress and WP Job Openings

Modern WordPress Membership Plugin

ProfilePress – Create membership sites & sell subscriptions on WordPress Check it out →

Easy-peasy Recruitment Plugin

Create a career page and start recruiting talents in a few minutes Check it out →

🗣️TALK OF THE TOWN

Buyer of Essential Plugin’s 30+ WordPress plugins planted a backdoor across the entire portfolio

Austin Ginder documented in detail the recent supply chain attack that hit the WordPress ecosystem after the “Essential Plugin” portfolio (previously “WP Online Support”) was reportedly bought via Flippa by a new owner. The attacker inserted a hidden backdoor across 30+ plugins, which stayed dormant for about 8 months before being activated to inject SEO spam.

The Plugins Team later closed 30+ plugins and pushed forced updates, but some sites remained compromised because it did not touch wp-config.php. Currently, their website is also offering a 100% discount, attracting unaware users.

👋 GOOD BYE MUMBAI

WordCamp Asia 2026 wraps up

The event brought together 2,281 attendees over three days at the Jio World Convention Centre, Mumbai.

Contributor Day was easily one of the highlights, with more than 1,500 people collaborating across 20+ tables, guided by 38 table leads. According to Automattician Brett McSherry,
Polyglots contributors suggested over 7,000 strings and reviewed 3,200 of them.

The Photos team uploaded 76 images.

Test team worked on 20+ tickets.

55 contributors joined the Training team.
Matt Mullenweg couldn’t make it this year due to health reasons, and Mary Hubbard stepped in to deliver the closing keynote. She also signed a collaboration agreement with DY Patil Agriculture & Technical University, Talsande, Kolhapur during the event.
AI and education were major talking points throughout. Hubbard also spoke about the WordPress Campus Connect program, which started in India and is now making its way across the globe. The event wrapped up with the announcement of Penang, Malaysia as the next host, followed by a super energetic afterparty.

We were there as an official Media Partner, and the vibe was just amazing. AI was everywhere—on stage, in conversations, pretty much all around. We caught up with some familiar faces from the community like Jamie Marsland, James Giroux, Birgit Pauli-Haack, Meher Bala, Regan Khadgi, and Lokesh Prem Budhrani, along with the communications team at Automattic. Had some great conversations—and hearing a few of them mention our newsletter honestly made our day.
Those who missed the event can now watch the recorded live streams.

📰 WORDPRESS & AROUND

All the updates around WordPress and its closely related technologies

Akismet Trac ticket sparked a heated discussion on the #core-committers Slack channel

The discussion started with a complaint from a contributor about an Akismet-related core ticket, arguing it was pushed through by Automattic employees with little public discussion while independent contributors face long delays and heavy scrutiny. Matt Mullenweg discussed it and said he wasn’t aware of the ticket but used it as an example of deeper issues, urging contributors to loop him in directly instead of letting debates drag on.

From there, he broadened the conversation, criticizing WordPress for becoming bogged down by excessive process, over-consensus, and risk aversion making it hard to ship features and pushing contributors away. He pointed to problems like thousands of unresolved tickets, slow development, outdated rules (including around AI and themes), and inconsistent decision-making. He also expanded the critique to WordPress.org itself, calling out poor design, confusing navigation, and a lack of product direction.

New WordPress Flagship event – WordCamp India: WordCamp India will join the ranks of WordCamp Asia, WordCamp Europe, and WordCamp US as the fourth flagship event from next year onwards. The idea of a WordCamp India was on the cards for some time. At the WordCamp Asia 2024 Q&A session, Mullenweg joked, “Do WordCamp India! I’ll be there.” More details are awaited.
Matt Mullenweg on elevating individuals: Matt Mullenweg urges the WordPress community to shift back toward celebrating individual contributors over company affiliations. Highlighting concerns around things like badge design and broader community practices, he argues that the ecosystem has overemphasized sponsorships and input metrics (like hours contributed) instead of real impact.
Defining expectations for Iteration issues: Anne McCarthy outlines updated guidelines for iteration issues in the Gutenberg GitHub repository, and that each release should have a new issue (not reused), and updates must happen at least monthly before beta and weekly during beta/RC periods, especially around beta 1 and RC1. They should be regularly updated with completed work, upcoming work, blockers, and progress, and closed when the release is finished.
New Patterns Slack channel now live: Velda Christensen initiated a discussion asking if it would make sense to have a Slack channel for Patterns, saying it was difficult to know where to check for information. Chetan Prajapati, noting his experience as a Pattern table team lead at WordCamps, said it is difficult to continue discussions and support new contributors without a dedicated channel, and supported having one. Later, Dion Hulse created a new Patterns Slack channel.
What’s new in Gutenberg 22.9: This release introduces background gradients alongside background images, improvements to the command palette, and several other improvements and bug fixes.
What’s new for developers: Jonathan Bossenger covers key developer updates around WordPress 7.0, including its delayed release for real-time collaboration improvements, alongside new features like the AI Client, Connectors API, as well as related Gutenberg plugins, themes, and other updates.
Migrating WordPress Playground Documentation to WordPress.org: Fellyph Cintra shared progress on the migration effort, outlining technical challenges, completed work, and a phased roadmap covering English migration, internationalization, and future AI-powered features.
Critical supply chain compromise in Smart Slider 3 Pro: Full malware analysis: Patchstack report details how attackers gained access to Nextend’s update infrastructure and distributed a malicious version (3.5.1.35). Sites that unknowingly updated installed a backdoored plugin with remote command execution, hidden administrator creation, multiple persistence mechanisms across plugin/theme/core files, and data exfiltration to an external command-and-control server. Users are advised to update to the latest patched version immediately.
50,000 WordPress sites affected by arbitrary file upload vulnerability in Ninja Forms – File Upload WordPress plugin: The vulnerability allows an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution has been patched. Users are to update ot hte latest version immediately.
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026): Last week, there were 54 vulnerabilities disclosed in 49 plugins.
New Google spam policy targets back button hijacking: Google added a new section to its spam policies designating “back button hijacking” as an explicit violation under the malicious practices category. Enforcement begins on June 15, giving websites two months to make changes.
Cloudflare has announced the general availability of its Sandboxes: This now gives AI agents fully functional, secure environments to develop, run, and test code.

🔧 TIP OF THE WEEK
Use wp_localize_script() for Dynamic Data

Tip: Pass PHP data to JS the right way.

wp_localize_script(‘app’, ‘themeData’, [
  ‘ajax_url’ => admin_url(‘admin-ajax.php’),
]);

Cleaner than inline scripts.

👥 COMMUNITY NEWS

Updates and News from the WordPress Community

WordCamp Asia 2027 heads to Malaysia

The WordPress community will be heading to Southeast Asia once again, as WordCamp Asia 2027 is set to take place in Penang, Malaysia. The Call for Organizers is now open.

WordCamp Asia 2026 wrapped up last week: The event has come to a close, marking another strong moment for the community. Matt Mullenweg was unable to attend this year due to health reasons. The event saw a total of 2,281 attendees across three days. Those who missed it can now watch the recorded live streams. Also, WordCamp India has been announced as the fourth flagship event, set to debut next year.
The 2026 Metorik Insights for WooCommerce report: Metorik analyzed over 65 million WooCommerce orders to reveal key trends, like mobile driving 72% of orders while desktop users spend more, weekend order values dropping significantly, free shipping rising to 74%, a notable decline in refund rates, and much more.
Contact Form 7 to enter feature freeze: Takayuki Miyoshi announced this during his presentation at WordCamp Asia 2026, and that the upcoming 6.2 will be the final major update. After which, the plugin will only receive bug fixes and security improvements. The decision was made to focus on their new project called “Contactable.io” which will be an API + WP plugin set for 2028.
Plugin review backlog hits record high in WordPress: Andrew Hoyer reports that the number of WordPress plugins awaiting review has surged to record levels, surpassing 1,000 for the first time in his tracking.
New in WordPress Studio: Studio CLI on npm & phpMyAdmin access: Studio now supports a standalone CLI via npm, letting developers create and manage local WordPress sites directly from the terminal without needing the desktop app. It also adds built-in phpMyAdmin access in the desktop app, making database management easier without switching tools. The team also released an early preview of WordPress Studio CLI new command, “npx wp-studio@next code” and from the next version onwards, Core and Studio skills can be installed from the desktop app itself.
SureForms 2.7.1 released: This version introduces a new Constant Contact integration, new conditional logic, and several other fixes.
Tutor LMS v3.9.9 is released: The update improves accessibility with updated modals and icons for better WCAG 2 compliance, adds a terms and conditions agreement checkbox at signup, and strengthens checkout security, while also fixing an SQL injection vulnerability and a Stripe payment status issue in Pro.
WP System Report v1.2.0 is now live: The update has introduced MCP integration, allowing WP System Report to work with the WordPress MCP Adapter and Abilities API (WP 6.9+), so AI tools like Claude, ChatGPT, and Copilot can directly query sites, analyze issues, and suggest fixes.
Foundation 1.1.0 is here: This is a major update that introduces two new blocks, two new rich text formats, along with a rebuilt form settings panel and redesigned admin.
Joe Vans calls out WP Engine’s scary emails: He highlighted that WP Engine is sending emails flagging 500 errors and performance issues to get users into meetings. He claims those calls shift into questions about site usage and future plans, without addressing the issues upfront, and often lead to requests for additional engineering reviews.
Hooks, Filters & Now Context: Why MCPs are the Hooks of the AI Era: Miriam Schwab’s WordCamp Asia 2026 talk explains that WordPress’s history of open extensibility through hooks and filters enabled a large ecosystem of plugins and themes that interact through shared interfaces without permission or coordination. She says this same approach is now being applied to AI through the Abilities API, MCP Adapter, and WP AI Client, describing it as a hooks system for AI that lets AI agents interact with WordPress in an open, standard way.
Seo-graph: Created by Joost de Valk, this is an agent-ready SEO for JavaScript, with schema.org JSON-LD graph builder plus an Astro integration, designed to be shared across frameworks and CMSes.

🚀 NEW PROJECTS

“SEO is wp_head hooks and a meta box. Analytics is embedding a lightweight script. Two-factor auth is standard TOTP with zero external dependencies. These aren’t massive engineering challenges. They’re things someone just needs to sit down and build. So I did.“

Joost Boer about creating SailWP.

SailWP: A block theme developed by Joost Boer that comes with built-in SEO, analytics, two-factor authentication, cookie consent, multilingual support, and an AI-powered page builder. The total frontend size is just 94 KB, including CSS, JavaScript, and fonts.
Kratt: An Experimental WordPress AI block composer developed by Giorgos Sarigiannidis. It allows users to generate and insert blocks via natural language using the WP AI Client.
BBH Custom Schema: The plugin by Md Jahid Shah allows users to add custom JSON-LD schema markup to any post or page.
Write: The plugin developed by Jamie Marsland reimagines the editor as a clean, distraction-free space built purely for writing. It strips away dashboards, sidebars, and clutter, and it offers a minimal full-screen experience with simple tools that appear only when needed.
WP Apps: Developed by Vikas Singhal, this is an open spec for sandboxed, permission-scoped WordPress extensions. Apps run as isolated external HTTP services with zero access to the database, filesystem, or PHP runtime and communicate through a structured API protocol.
WP Block Icon Preview: Created by Ronald Huereca, the tool helps users to check how SVGs will look in the block editor and on .org.
NotedWP: The plugin, created by Lyndon Kaleb, allows clients to click anywhere on their live WordPress site to leave pinned, in-context feedback.
Bazaar: Developed by Nick Hamze, the plugin turns the admin dashboard into a lightweight app platform.

🔖 INTERESTING READS & PODCASTS

More posts and podcasts from the WordPress Community you don’t want to miss

On this episode of WP Product Talk, Matt Cromwell and Zack Katz are joined by Matt TK Taylor and Matt Kane from Cloudflare to discuss EmDash, a new Astro-based CMS, and whether it presents an opportunity or a threat to the WordPress ecosystem.
Bram Vergouwen speaks with Matt Cromwell on this episode of Melapress Show about the journey of GiveWP from an early plugin to an eight-figure acquisition. They discuss key lessons for WordPress product founders, including growth mistakes, using customer feedback for product decisions, and so on.
On this episode of The WP Minute+, Eric talks with Malcolm Peralty about his experience with WordPress and Drupal, his role at Pressable, AI in site management, the value of human support, and his work as a co-author.
Varun Dubey reflects on WordCamp Asia 2026, where he found that about 90% of conversations centered on AI.
Riad Benguella shared how he redesigned his WordPress site in about two hours using Studio Code, which enables local editing, AI-assisted redesign prompts, and easy publishing.
Joost Boer discusses the delayed release of WordPress 7.0 due to challenges with real-time collaboration, highlighting how the feature is built for teams while many WordPress sites are run by a single user.
Job Thomas highlighted how WooCommerce’s bug blitz initiative empowered support teams to fix over 150 backlog bugs in just weeks.
Eric Karkovack explores how AI can be used not just for coding assistance in WordPress, but as a learning tool. He shows how developers can use AI to understand code, explore alternative solutions, and improve security and performance.
Justin Ferriman argues that WordPress plugin businesses are facing serious pressure as AI tools like Claude make it easy to bypass feature gating, recreate add-ons, and even replace parts of paid support.
Taco Verdonschot reflects on missing WordCamp Asia 2026, balancing the pull of FOMO from not seeing friends and attending the event with the joy of staying home, spending time with family, and appreciating what he didn’t miss.
Steve Bonisteel explained that enterprise-ready WordPress hosting is often misused to mean handling high traffic, when it actually requires strong security, governance, and compliance beyond just scalability.
Mark Maunder explains how AI is rapidly transforming vulnerability research, with AI-assisted findings now making up the majority of security reports in the Wordfence bug bounty program.
SephX reflected on using WordPress since 2003, tracing how it survived industry shifts to power 43% of the web. He frames WordPress 7.0 as a milestone where the platform finally feels complete, highlighting a mature block editor, improved performance, and a stable interactivity API.
Trillo AI argues that starting with building an AI agent is the wrong approach for real-world AI systems. Instead of agent-first thinking, it advocates a system-first, blueprint-driven approach where AI is just one part of a larger, structured application.
The AI Security Institute’s evaluation found that Claude Mythos Preview shows a clear jump in cyber capabilities, excelling in CTF challenges and even completing complex multi-step attack simulations.

🛠 GUIDE ZONE – HOWTO’S and MORE

Handpicked fresh guides from WordPress circle

Beyond `wp_enqueue`: Surgical asset management for high-performance sites: From Delicious Brains
How to customize WooCommerce checkout page: From HostWP

📆 SAVE THE DATES

Do not miss a WordPress event ever again

Checkout Summit 2026 on April 23-24, 2026: The call for sponsors is now open. The tickets are now available.
WordCamp Europe 2026 on June 4-6: The call for sponsors and volunteers is now open. The tickets are also now available and the Side Event applications are now open.
WordCamp US, Phoenix on August 16 -19 2026: The call for organizers is now open.
WordCamp Rajasthan 2026 on 3–4 October: The call for organizers is now open.
WordPress Accessibility Day 2026 on October 7th-8th: The call for sponsors is now open.
WordCamp Canada 2026 on November 5-6: The call for sponsors is now open.
CMS Conf 2026 on 12-14 November: The call for speakers is now open and the tickets are now available.

🎁 WORDPRESS DEALS OF THE WEEK

Again, these are the best deals of the week, handpicked by yours!

EXCLUSIVE DEALS

4 Months free offer on hosting plans of WP Engine (Coupon Code- FREEDOMTOCREATE)
10% off on monthly & annual plans at SureTriggers (Coupon Code- WPCONTENT10)
Up to 84% off at Hostinger (Code NYSALE for an extra 10% off)
15% off yearly plans at Videvo (Coupon Code – WPV15)

MORE DEALS

30% off for 4 months on Cloudways + 10 Free migrations ( Promo code- TREAT25).
Up to 50% off on BookingPress plugin
Up to 50% off on Paid Membership Pro plans.
Up to $100 OFF Essential Blocks PRO plugin.
50% off 3 months on Liquid Web’s Bare Metal server hosting
20% off for Constellation plugin
28.65% off for the lifetime plan for the Modern Cart for WooCommerce plugin.
33% off for the Uncanny Automator plugin.