CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

OptinMonster Plugin Hack Exposes 1.2 Million WordPress Sites to Cyberattack

Cybersecurity News Archived Jun 16, 2026 ✓ Full text saved

A large-scale supply chain attack targeting widely used WordPress plugins has exposed more than 1.2 million websites to potential compromise after attackers injected malicious code into legitimate JavaScript files distributed through trusted CDN infrastructure. Security researchers at Sansec discovered an ongoing campaign targeting plugins developed by Awesome Motive, including OptinMonster, TrustPulse, and PushEngage. These plugins […] The post OptinMonster Plugin Hack Exposes 1.2 Million WordP

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News OptinMonster Plugin Hack Exposes 1.2 Million WordPress Sites to Cyberattack By Abinaya June 16, 2026 A large-scale supply chain attack targeting widely used WordPress plugins has exposed more than 1.2 million websites to potential compromise after attackers injected malicious code into legitimate JavaScript files distributed through trusted CDN infrastructure. Security researchers at Sansec discovered an ongoing campaign targeting plugins developed by Awesome Motive, including OptinMonster, TrustPulse, and PushEngage. These plugins are installed on millions of WordPress sites worldwide, with OptinMonster alone surpassing one million active installations. Rather than attacking individual websites directly, threat actors compromised upstream JavaScript files hosted on Awesome Motive’s CDN. Any website loading these scripts unknowingly executed the injected malware, making this attack comparable to previous large-scale supply chain incidents. The malicious payload is designed to remain stealthy and only activates when a WordPress administrator is logged in. It avoids execution in headless browsers and automated environments, significantly reducing the chances of detection during routine scans. OptinMonster Plugin Hack Exposes Once triggered, the script identifies the WordPress admin environment, gathers site metadata, and extracts authentication tokens from REST and AJAX endpoints. Using these tokens, the malware attempts to create unauthorized administrator accounts through multiple methods, including REST API calls and form submissions. The injected scripts were served through legitimate domains such as: a.omappapi.com a.opmnstr.com a.optnmstr.com a.trstplse.com clientcdn.pushengage.com It establishes persistence by deploying both a fixed account named developer_api1 and additional randomized accounts following the dev_xxxxxx pattern. The stolen credentials, along with site details, are encrypted and transmitted to a command-and-control server hosted on the domain tidio.cc, which mimics a legitimate service to evade suspicion. To maintain long-term access, the attackers install a hidden backdoor plugin that is engineered to evade detection. The plugin conceals itself from the WordPress dashboard, API responses, update mechanisms, and activity logs. It provides attackers with full remote control of compromised websites by enabling arbitrary command execution and remote code execution through specially crafted requests. Indicators of Compromise Organizations should check for the following: Suspicious domains: tidio.cc (84.201.6.54). Rogue admin accounts: developer_api1 or dev_xxxxxx. Hidden plugins: content-delivery-helper or database-optimizer. Unique string: jX9kM2nP4qR6sT8v (XOR key). Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Sansec researchers observed that the plugin frequently changes its disguise, appearing as legitimate tools such as “Content Delivery Helper” or “Database Optimizer.” Active exploitation has been confirmed, with Patchstack blocking hundreds of attempts to create rogue administrator accounts across multiple sites, indicating real-world abuse of the backdoor. According to Awesome Motive, the incident was caused by the exploitation of a vulnerability in the UpdraftPlus plugin. Attackers reportedly gained access to a server hosting marketing infrastructure, retrieved a CDN API key, and used it to inject malicious code into files distributed to customers. The company has since removed the malicious scripts, rotated credentials, purged CDN caches, and migrated affected systems to new infrastructure. Administrators using the affected plugins are strongly advised to assume potential compromise if a logged-in admin session occurred during the attack window. Immediate steps should include auditing all administrator accounts for unauthorized entries, scanning the filesystem directly for hidden plugins, and rotating all credentials. Since the malware activates only during authenticated admin sessions, server-side inspection remains one of the most effective detection methods. This incident highlights the growing threat of supply chain attacks in the WordPress ecosystem, where compromising a single trusted source can lead to widespread impact across millions of websites. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Threat Actor Malware Platform Exposed via Unlocked PHP Installation Page ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks Hackers Infect npm Package dbmux With Malware to Fully Compromise Developer Systems Microsoft Patch Tuesday June 2026 – 198 Vulnerabilities Fixed, Including 3 Zero-days Latest News Cyber Security News Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns Cyber Security News LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild Cisco Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks Cyber Security News Nearly 14,000 SimpleHelp Servers Exposed Amid Critical Authentication Bypass Disclosure Cyber Security Microsoft Site Showing Warning Following Certificate Expiry
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗