The Attack and Its Targets
An attacker tampered with trusted JavaScript files used by three popular WordPress plugins: PushEngage, OptinMonster, and TrustPulse. All three are owned by the same company, Awesome Motive. Security firm Sansec disclosed the campaign on June 13, finding identical malicious code in JavaScript served for all three plugins. The poisoned files turned into a vehicle for site takeover when a logged-in administrator loaded them.
PushEngage was the first to issue an incident notice, confirming that tampered copies of its script had been served to customer sites. OptinMonster and TrustPulse users, however, received no official guidance as of June 15. The exposure windows varied: the malicious code appeared in OptinMonster and TrustPulse for only about 25 minutes on June 12, while PushEngage’s exposure lasted several hours and its script remained on some CDN servers into June 14. Sansec estimates the three plugins collectively reach more than 1.2 million sites.
How the Backdoor Worked
The poisoned script only activated when a logged-in WordPress administrator loaded it. Using that admin’s session, it created a new administrator account under the attacker’s control and installed a hidden plugin that does not appear in the WordPress dashboard. This hidden plugin functions as a web shell, giving attackers a remote command channel to run code on the server without logging in. The new login credentials and site information were sent to tidio.cc, a fake domain registered weeks before the attack.
The attacker’s entry point remains disputed. PushEngage claims the attacker broke into its marketing server through a known vulnerability in the UpdraftPlus backup plugin (CVE-2026-10795) to steal a CDN API key. Sansec has not confirmed this theory and says the breach source is still unknown. The vulnerability in UpdraftPlus is rated high severity and is now patched, but whether it connects to this incident is unconfirmed.
Impact and Remediation
Because the backdoor hides from the WordPress dashboard, administrators cannot determine if their site was compromised by checking the admin interface. The only reliable method is a server-side scan. Sansec says the payload was identical across all three plugins, but has not confirmed that OptinMonster and TrustPulse were delivered the same way or within the same timeframe as PushEngage.
Indicators of compromise include suspicious folders under wp-content/plugins named content-delivery-helper or database-optimizer, admin accounts like developer_api1, and outbound traffic to tidio.cc or the attacker’s server at 84.201.6.54. Administrators should rotate all passwords, API keys, database credentials, and WordPress secret keys. Both Sansec and PushEngage warn that removing the obvious backdoor may not be sufficient, as attackers could have planted additional persistence mechanisms.
Source: https://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html
