An unidentified threat actor acquired the EssentialPlugin plugin suite and embedded dormant backdoors across 30+ WordPress plugins, activating them to deliver SEO spam, malicious redirects, and fake pages visible only to search engine crawlers. WordPress.org issued a forced update that severed the command-and-control path, but a malicious wp-config.php modification was not addressed by that update and requires manual remediation on every affected installation. Sites that received the forced update but have not completed manual wp-config.php inspection remain partially compromised.