After a user reported a security issue in the Pro version of WPFactory’s EU/UK VAT for WooCommerce plugin, distributed via its official website, more than 80 of the company’s plugins were temporarily closed on WordPress.org.
WPFactory maintains a portfolio of over 65+ plugin with over 170k+active installations. Earlier this month, the Plugins Team closed 30+ plugins after an attacker inserted a hidden backdoor across the “Essential Plugin” portfolio, which stayed dormant for about 8 months before being activated to inject SEO spam.
Initial Reporting on GitHub
The issue was first reported on GitHub by Ferber Enterprises after they encountered a critical error while using the EU VAT for WooCommerce Pro plugin, which they downloaded from WPFactory’s official website, “I am contacting you regarding a critical issue I have encountered with the “EU VAT for WooCommerce Pro” plugin downloaded from your official website and installed on my website. When I try to install it, it triggers a fatal error.”
During troubleshooting, they identified a suspicious file within the plugin (class-alg-wc-eu-vat-customer.php) that appeared to execute unexpected behavior, including attempting to download an external ZIP file, modify WordPress directories, and transmit data to an external server.
Ferber Enterprises stated that the plugin had been downloaded directly from WPFactory’s official website, “ I want to stress that I downloaded the plugin from what I believed to be the official source. “
WPFactory Response and Investigation
Birendra Maharjan, one of the WooCommerce developers at WPFactory, responded two days after the issue was reported, saying, “ After reviewing your report, we can confirm that the file class-alg-wc-eu-vat-customer.php and the behavior you described are not part of our official EU VAT for WooCommerce Pro plugin codebase.”
At the same time, Birendra Maharjan suggested the issue could be linked to factors such as a modified installation, an outdated version, or a potentially compromised download from an unofficial or compromised source.
Birendra Maharjan also noted that they were unable to safely review the attached ZIP file, as it was flagged by the browser as potentially unsafe,” We also attempted to review the ZIP file you attached, but the browser flagged it as potentially unsafe, so we were unable to download and inspect it securely.”
Maharjan requested additional details to help with their investigation, asking for the exact plugin version used, the download source, and supporting evidence such as screenshots or purchase information.
In response, Ferber Enterprises confirmed that the plugin had been downloaded directly from WPFactory’s official account page and reiterated that version 4.6.1 of the Pro plugin was in use. They also stated that even after re-downloading the plugin from the same source, the suspicious file was still present, suggesting that the official distribution itself may have been compromised.
Birendra Maharjan later responded, stating that the issue could not be reproduced on WPFactory’s end. He noted that the suspicious file reported does not exist in the official plugin package and that no similar behavior was observed in a clean installation, “ We have checked the issue on our side, but we are unable to reproduce it. The file you mentioned does not exist in the official plugin package, and we also did not observe any similar behavior in a clean installation.”
Continuing, he suggested that the plugin files on the user’s site may have been altered after installation or may differ from the original release, “ Based on this, it appears that the plugin files on your site may differ from the original release. This can happen if files were modified or replaced after installation.”
To proceed with solving the issue, Birendra Maharjan stated that direct access to the affected environment would be required, requesting WordPress admin and FTP/server access.
Ferber Enterprises rejected WPFactory’s request for site access, “ Is this a joke? Given your cybersecurity skills and the vulnerabilities in your plugin, I’m certainly not going to share my FTP or administrator credentials with you.”
Escalation and WordPress.org Plugin Closures and Acknowledgement
Moving on, Ferber Enterprises claimed that the issue was clearly visible and not related to their own environment, pointing instead to WPFactory’s distribution system. To support their claim, they shared a video demonstration they said shows the plugin behaving in a compromised manner.
Ferber Enterprises expressed concern that WPFactory did not appear sufficiently alarmed by the situation and said they would escalate the issue to WordPress to prevent potential impact on other users.
They also shared a video demonstrating the issue, insisting that the problem originates from WPFactory’s side itself, “ It’s your website that’s compromised, nothing else.”
Birendra Maharjan later acknowledged the report again, apologising for the earlier response and stating that the issue appeared to potentially stem from a cached or outdated plugin package being served via WPFactory’s website.
Ferber Enterprises disagreed with WPFactory’s assessment, insisting that the issue was not related to caching or server-side factors and stating that it pointed to a security problem on WPFactory’s end, “ No, this is clearly a security issue on your end.”
Along with reporting on GitHub, the issue was also reported to WordPress, and they have temporarily closed all of their plugins, “ I alerted WordPress, and they confirmed they’ve closed all your plugins until the situation is resolved. “
Pablo Pacheco (Managing Partner – CINO at WP Factory), acknowledged the issue, apologised for the delayed response, and said the team is actively working on a fix, with updates to follow once available, “Thank you for bringing this to our attention. We sincerely apologize for not acting on your report sooner, especially on something this serious. We’ve confirmed the issue and are actively working to find a solution as quickly as possible. We’ll keep you posted as soon as we have updates.“
Camille, CEO of Ferber Enterprises, also posted on the plugin’s support forum on WordPress.org to alert others about the issue.
Ben Word (creator of Roots and WP Packages) also brought attention to this issue, and he also published the list of plugins that have been temporarily closed.
Beyond the specific incident, WPFactory’s website currently advertises a 50% discount on its plugins. Also, WP Factory acquired Extend-WP and its 19 plugins on March 17, 2025, and acquired WBW and its 6 key plugins in June 2025.
Plugin Review Queue and Broader Security Challenges
This security concern comes at a time when the plugin review queue stands at over 4000 plugins.
According to Patchstack’s State of WordPress Security in 2026 report, 46% of vulnerabilities were not fixed in time for public disclosure, highlighting ongoing challenges in timely patching across the ecosystem.