Massive WordPress Supply Chain Attack Exposes 1.2 Million Sites
Security researchers at Sansec uncovered a large-scale supply chain attack targeting widely used WordPress plugins, exposing over 1.2 million websites to potential compromise. The campaign, active in recent weeks, involved malicious code injected into JavaScript files distributed via Awesome Motive’s CDN, affecting plugins like OptinMonster, TrustPulse, and PushEngage with OptinMonster alone installed on over one million sites.
Instead of directly breaching individual websites, attackers compromised upstream files hosted on Awesome Motive’s infrastructure. When loaded, the malware executed stealthily, activating only during authenticated WordPress admin sessions to evade detection. The payload gathered site metadata and authentication tokens, then attempted to create unauthorized admin accounts including a fixed account named developer_api1 and randomized accounts following the dev_xxxxxx pattern.
The malware established persistence by installing a hidden backdoor plugin, disguised as tools like "Content Delivery Helper" or "Database Optimizer", which evaded WordPress dashboards, API responses, and logs. It enabled full remote control, allowing arbitrary command execution via crafted requests. Stolen data was encrypted and sent to a command-and-control server at tidio[.]cc (84.201.6.54), a domain mimicking a legitimate service.
Awesome Motive attributed the breach to a vulnerability in the UpdraftPlus plugin, which attackers exploited to access a marketing server, retrieve a CDN API key, and inject malicious code. The company has since removed the scripts, rotated credentials, purged CDN caches, and migrated affected systems. Patchstack reported blocking hundreds of exploitation attempts, confirming active abuse of the backdoor.
Administrators are advised to audit for rogue admin accounts, scan for hidden plugins, and rotate credentials if an admin session occurred during the attack window. The incident underscores the escalating risk of supply chain attacks in the WordPress ecosystem, where a single compromised vendor can impact millions of sites.
Source: https://cybersecuritynews.com/optinmonster-plugin-exposes-wordpress-sites/
PushEngage TPRM report: https://www.rankiteo.com/company/awesome-motive-inc.
OptinMonster TPRM report: https://www.rankiteo.com/company/awesome-motive-inc.
TrustPulse TPRM report: https://www.rankiteo.com/company/sansec
Awesome Motive TPRM report: https://www.rankiteo.com/company/awesome-motive-inc.
"id": "awesan1781598286",
"linkid": "awesome-motive-inc., sansec",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Over 1.2 million websites',
'industry': 'Software (WordPress Plugins)',
'name': 'Awesome Motive',
'type': 'Vendor'},
{'industry': 'WordPress Plugin',
'name': 'OptinMonster',
'size': 'Over 1 million installations',
'type': 'Plugin'},
{'industry': 'WordPress Plugin',
'name': 'TrustPulse',
'type': 'Plugin'},
{'industry': 'WordPress Plugin',
'name': 'PushEngage',
'type': 'Plugin'}],
'attack_vector': 'Compromised CDN and plugin updates',
'customer_advisories': 'Administrators are advised to audit for rogue admin '
'accounts, scan for hidden plugins, and rotate '
'credentials.',
'data_breach': {'data_encryption': 'Yes (stolen data was encrypted)',
'data_exfiltration': 'Yes (sent to command-and-control server '
'at tidio[.]cc)',
'file_types_exposed': 'JavaScript files',
'sensitivity_of_data': 'High (admin credentials and tokens)',
'type_of_data_compromised': 'Site metadata, authentication '
'tokens'},
'description': 'Security researchers at Sansec uncovered a large-scale supply '
'chain attack targeting widely used WordPress plugins, '
'exposing over 1.2 million websites to potential compromise. '
'The campaign involved malicious code injected into JavaScript '
'files distributed via Awesome Motive’s CDN, affecting plugins '
'like OptinMonster, TrustPulse, and PushEngage. The malware '
'executed stealthily during authenticated WordPress admin '
'sessions, gathered site metadata and authentication tokens, '
'and created unauthorized admin accounts. It established '
'persistence via hidden backdoor plugins and enabled full '
'remote control, sending stolen data to a command-and-control '
'server.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Site metadata and authentication tokens',
'identity_theft_risk': 'High (unauthorized admin accounts created)',
'operational_impact': 'Potential full remote control of affected '
'sites',
'systems_affected': 'Over 1.2 million WordPress sites'},
'initial_access_broker': {'backdoors_established': 'Hidden backdoor plugins '
"(e.g., 'Content Delivery "
"Helper', 'Database "
"Optimizer')",
'entry_point': 'Vulnerability in UpdraftPlus plugin',
'high_value_targets': 'WordPress admin sessions'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident underscores the escalating risk of supply '
'chain attacks in the WordPress ecosystem, where a single '
'compromised vendor can impact millions of sites.',
'post_incident_analysis': {'corrective_actions': 'Removed malicious scripts, '
'rotated credentials, purged '
'CDN caches, migrated '
'affected systems',
'root_causes': 'Exploitation of a vulnerability in '
'the UpdraftPlus plugin to access a '
'marketing server and retrieve a '
'CDN API key'},
'recommendations': 'Administrators are advised to audit for rogue admin '
'accounts, scan for hidden plugins, and rotate credentials '
'if an admin session occurred during the attack window.',
'references': [{'source': 'Sansec'},
{'source': 'Patchstack'},
{'source': 'Awesome Motive'}],
'response': {'containment_measures': 'Removed malicious scripts, rotated '
'credentials, purged CDN caches, '
'migrated affected systems',
'remediation_measures': 'Auditing for rogue admin accounts, '
'scanning for hidden plugins, rotating '
'credentials',
'third_party_assistance': 'Sansec, Patchstack'},
'title': 'Massive WordPress Supply Chain Attack Exposes 1.2 Million Sites',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Vulnerability in UpdraftPlus plugin'}