A supply chain attack on WordPress plugins PushEngage, OptinMonster and TrustPulse exposed more than 1.2 million sites to malicious JavaScript that could create hidden admin access and install a backdoor when a logged-in administrator loaded the script, according to a technical analysis by Sansec.
KEY FACTS
- Scope The affected plugins are run by one company, Awesome Motive.
- Exposure Sansec said OptinMonster and TrustPulse were exposed for about 25 minutes on June 12, while PushEngage was exposed for several hours and into June 14 on some CDN servers.
- Behavior The script acted only when a logged-in WordPress administrator loaded it.
- Impact The code could create a new admin account, install a hidden plugin and open a web shell.
- Action PushEngage said it replaced the bad files, cleared its CDN cache and changed related credentials.
PushEngage said its tampered JavaScript files were served from its CDN and that the rest of its systems were not reached. The company said the attacker used an administrator session to create a new account, install a plugin that did not appear in the dashboard and send data to a fake domain designed to resemble tidio.com.
The report said the same malicious sequence was found across all three plugins. It said the hidden plugin was the main prize because it could provide remote command access to the server and let an intruder read files, copy the database, plant more backdoors or steal data. Sansec also said the fake domain tidio.cc was registered weeks before the attack, which suggests planning.
The initial entry point remains unclear. PushEngage said the attacker first compromised its marketing website server through a known flaw in UpdraftPlus and then used a CDN API key to alter files served to customers. The disclosure did not confirm that theory and said the likely breach point is still unsettled.
Anyone who ran any of the three plugins during the window was urged to check the server directly, not the WordPress dashboard. The report said indicators include hidden plugin folders, unfamiliar admin accounts and traffic to tidio.cc or the server at 84.201.6.54.
WHY IT MATTERS
The incident shows how a tampered script from a trusted plugin supply chain can turn normal site traffic into a server takeover when an administrator is logged in. Sites that used the affected plugins during the window should assume compromise until a server-side review is complete.