🚨 Security Advisory: Active Exploit Targeting OMGF Pro

I’m writing this to inform you about a critical security vulnerability in OMGF Pro that is currently being actively exploited in the wild.

This post was last updated: June 25th, 2026 at 17:13 GMT+2.

What’s happening

A vulnerability has been discovered in OMGF Pro that allows unauthenticated attackers to upload and execute malicious files on your server. This is a Remote Code Execution (RCE) vulnerability, and it is being actively exploited as of June 25, 2026.

I take security extremely seriously, and I want to be fully transparent about this issue.

Immediate action required

If you are running OMGF Pro, deactivate the plugin immediately until the patched version is available. This is the only way to fully protect your site right now.

To be clear: simply deactivating OMGF Pro will not break your site. Your fonts will revert to loading from Google’s servers until the plugin is reactivated.

What I’m doing about it

I am actively working on a fix right now and will ship the patched version within 24 hours. I will notify you through this blog, newsletter and X when a patched version is available.

Once the patch is released, update immediately and reactivate the plugin.

When you are not affected

What I know at this point is that your site is likely not vulnerable if any of the following apply:

  • You are only running OMGF (the free version). This breach only applies to OMGF Pro.
  • Your server is configured to block PHP execution in the wp-content/uploads/ directory. Many managed hosting providers enforce this by default.
  • OMGF Pro hasn’t detected @import statements in previous Optimization runs.
  • You have disabled WordPress search functionality entirely (e.g. through a plugin or theme setting).
  • Your theme does not reflect the search query on the search results page.

If you’re unsure whether any of the above apply to your setup, deactivate the plugin to be safe.

If you think your site may be compromised

If your site was running OMGF Pro and you suspect it may have been compromised, check the wp-content/uploads/omgf/ directory for a directory called code.elemetate.com containing a kk.php file. If you find it, that doesn’t immediately mean your site has been breached.

Go to your access.log (or ask your hosting provider to check it) and check for requests to the kk.php file. If that request contains a 403 or 500 (or anything other than 200, really) status code somewhere, that means it was forbidden from execution and your site hasn’t been breached. If you see a 200 status code, that means the file was executed and your site was breached.

After the fix is released, I’ll figure out what damage the script is trying to do, so I can provide you with steps on how to clean your system and properly asses if your site has been breached.

I’m sorry

I understand the severity of this situation. Your trust in my plugins is something I don’t take lightly, and I’m doing everything I can to resolve this as fast as possible.

I will publish a new post here once the patched version has been released and include details of affected areas of your system and how to clean it. Stay tuned!

WordPress faster. Privacy sorted. No BS. 📬

Monthly updates on Google Fonts, GDPR, WordPress performance, and whatever else is cooking at Daan.dev.

Name

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *