Emerging ThreatsMalware & Ransomware

WordPress Plugins Compromised to Deploy Hidden Backdoors

Analyst 207||Source: TheHackerNews
Person sitting at a desk in a well-lit room, with a subtle hint of digital vulnerability.

More than 1.2 million sites run the three WordPress plugins whose trusted JavaScript files were tampered with to deliver hidden backdoors, security researchers warned — a reach figure that describes potential exposure, not confirmed intrusions.

How the poisoned JavaScript worked

Sansec, which disclosed the wider campaign on June 13, found identical malicious code embedded in JavaScript served for PushEngage, OptinMonster, and TrustPulse. The injected code was designed to do nothing for ordinary visitors; it triggered only when a logged‑in WordPress administrator loaded the page. In that context the script used the administrator's session to create a new admin account, install a plugin that does not appear in the dashboard, and exfiltrate credentials and site details to a fake domain, tidio[.]cc.

In PushEngage's account, the two tampered files were pushengage-web-sdk.js and pushengage-subscription.js delivered from clientcdn.pushengage.com. Sansec reported the same sequence — new admin account, hidden plugin that opens a web shell, and outbound signals to tidio[.]cc — across all three plugins.

Timeline and the attacker’s communications

Sansec's timeline places the OptinMonster and TrustPulse exposures in a narrow window on June 12: about 22:17 UTC to 22:42 UTC, roughly 25 minutes. PushEngage's exposure was longer: Sansec saw the malicious script served for several hours on June 12, and PushEngage's files were still being served from some CDN servers into June 14.

The tidio[.]cc domain that received stolen details was registered on April 28, weeks before the June activity, a fact Sansec cites as evidence of planning rather than opportunism. The hidden plugin — the campaign’s primary persistence mechanism — provides a web shell that allows remote command execution: an attacker who knows the right URL can run code on the server without logging in and thereby read or change files, copy the database, plant additional backdoors, inject card‑skimming code, redirect visitors, or steal data.

How the attacker likely changed the CDN files — and where accounts differ

PushEngage says the attacker first broke into the server that hosted its marketing website via a known flaw in the UpdraftPlus backup plugin, then used a CDN API key found on that server to alter the files the CDN served to customer sites. PushEngage states its main application and the servers holding customer data were not reached, and that it has replaced the bad files, cleared the CDN cache, changed the CDN key and related credentials, and moved the marketing site to new infrastructure.

Sansec does not accept the attribution to a single entry point as settled. It lists Awesome Motive’s own servers as the most likely breached system, the CDN account as possible, and the CDN provider BunnyNet as unlikely. Sansec’s public analysis does not endorse PushEngage’s UpdraftPlus theory; the entry point remains unsettled. Separately, UpdraftPlus has a fixed authentication‑bypass bug, CVE‑2026‑10795, which Wordfence rated 8.1 and has reported being exploited in other attacks — a patch that any operator of UpdraftPlus should apply, regardless of its role here.

What to check and do

  • Run a server‑side scan. Because the malicious payload runs only for logged‑in admins and hides from the dashboard, a browser or admin‑panel check is insufficient. Anyone who ran PushEngage, OptinMonster, or TrustPulse during the exposure window should scan the server directly.
  • Inspect the filesystem. Look under wp‑content/plugins for folders named content‑delivery‑helper ("Content Delivery Helper") or database‑optimizer ("Database Optimizer"). Trust what is on disk rather than what the dashboard reports.
  • Look for suspicious admin accounts. Delete any accounts you did not create, especially developer_api1 or names matching dev_xxxxxx, but do not assume that removing an account or the visible plugin removes all persistence.
  • Review logs. Check web server access logs for outbound traffic during June 12–14 UTC to tidio.cc (including /cdn‑cgi/ paths) and to the attacker's server at 84.201.6.54.
  • If you find compromise, assume the worst. Rotate all passwords, API keys, database credentials, and the secret keys (salts) in wp‑config.php; treat additional backdoors as likely.

What this means for OptinMonster, PushEngage, and TrustPulse users

Site operators running OptinMonster (which Sansec says has over a million active installs), PushEngage (more than 9,000 installs), or TrustPulse must treat any site that loaded the affected scripts during the windows above as potentially compromised. PushEngage is the only one of the three to issue public guidance as of June 15; Awesome Motive had not commented on OptinMonster and TrustPulse beyond Sansec’s disclosure.

The takeaway is stark: the reach of a third‑party script does not just expand functionality — it expands failure modes. When a trusted CDN or marketing script is subverted, the incident can create persistent, hard‑to‑see backdoors that survive ordinary cleanup steps. Operators should act on the concrete indicators above and assume that disk‑level inspection and credential rotation are necessary to restore integrity.

https://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html

Emerging ThreatsSupply ChainWordpressMalware OperationsWeb Application SecurityBackdoorsPlugin Vulnerabilities
Related Intelligence

Continue Reading

Cluttered home office desk with Linux workstation, notes, and technical books.

Arch Linux Cracks Down on Malicious Commits in User Repository

Malicious hackers have launched a massive assault on the Arch User Repository, compromising over 1,500 user-submitted packages and forcing the Arch Linux team to temporarily halt new account signups to contain the damage. The attack has been mitigated, but not before highlighting the vulnerability of community-run package repositories.

Analyst 207
Hospital corridor with laptop in foreground, natural light through large windows.

Chinese Spies Exploit Medical, Military Networks for Over a Year

Google's Threat Intelligence Group uncovered a sneaky espionage campaign by Chinese spies that infiltrated medical and military networks in North America for over a year, making off with a treasure trove of sensitive data. The group, tracked as UNC6508, targeted top medical providers, academic centers, and military organizations, leaving no stone unturned in their quest for classified information.

Analyst 207
Laptop on office desk surrounded by papers and supplies with a blurred screen.

Microsoft 365 Copilot Exploited in 1-Click Data Theft Attack

A critical vulnerability in Microsoft 365 Copilot Enterprise, known as SearchLeak, could be exploited with just one click to steal sensitive data from mailboxes, OneDrive, and SharePoint. Fortunately, Microsoft has patched the flaw, CVE-2026-42824, and no user action is required to stay safe.

Analyst 207
School office with computer workstation and papers, blurred cityscape in background.

ShinyHunters Breach Exposes 137,000 Infinite Campus Staff Accounts

A massive data breach at Infinite Campus has exposed the sensitive information of 137,000 staff members, including names, email addresses, phone numbers, and physical addresses, after the ShinyHunters extortion group hacked into the company's Salesforce instance. The stolen data has been published online, putting staff at risk of identity theft and phishing scams.

Analyst 207