Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

Staff Editor 2026-06-15
Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

https://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html

Publish Date: 2026-06-15 05:59:00

Source Domain: thehackernews.com

An attacker tampered with trusted JavaScript files used by WordPress sites running PushEngage, OptinMonster, and TrustPulse, turning those files into a way to break into the sites.

When a site administrator was logged in as the file loaded, the code created an admin account under the attacker’s control and installed a hidden plugin that opened a way back in. Ordinary visitors did not trigger it.

Any site that was hit should be treated as compromised. All three plugins are run by one company, Awesome Motive, which had not commented on the two larger plugins as of June 15.

Security firm Sansec disclosed the wider campaign on June 13, finding the same malicious code in JavaScript served for all three plugins.

PushEngage followed a day later with its own incident notice, confirming an attacker had served tampered copies of its script and that sites loading them could be taken over.

PushEngage, acquired by Awesome Motive years ago, is so far the only one of the three to issue guidance; OptinMonster and TrustPulse users have heard nothing official.

The window was not the same for each plugin. Sansec saw the malicious code in OptinMonster and TrustPulse for only about 25 minutes on June 12, first around 22:17 UTC and gone by 22:42. PushEngage’s exposure ran longer: several hours on June 12, and its script was still being served from some of the CDN’s servers into June 14.

So the two plugins with the most sites had the smallest window, and PushEngage had the largest.

Sansec estimates that the three plugins reach more than 1.2 million sites between them, the bulk of that OptinMonster, which alone has over a million active installs. PushEngage’s WordPress plugin has more than 9,000. That figure is reach, not damage: it counts sites that run the plugins, not sites that were broken into.

How the attack worked

The poisoned script did nothing on a normal page view. It acted only when a logged-in WordPress administrator loaded it, then used that admin’s session to…

Source

More Stories

Team8 Announces Winners of the CISO Village Choice Awards at Annual Cybersecurity Summit | Nation and World

Team8 Announces Winners of the CISO Village Choice Awards at Annual Cybersecurity Summit | Nation and World

Staff Editor 2026-06-15
MS-ISAC enters uncertain new era after losing federal funding and thousands of members

MS-ISAC enters uncertain new era after losing federal funding and thousands of members

Staff Editor 2026-06-15
Novo Nordisk Confirms Data Theft: What Attackers Took and What They Didn’t

Novo Nordisk Confirms Data Theft: What Attackers Took and What They Didn’t

Staff Editor 2026-06-15

Terms and Conditions - Privacy Policy