Bottom line: Supply chain attack via manipulated CDN conceals admin accounts and web shells on over 1.2 million WordPress websites; infections are not detectable through the standard dashboard.
An attacker manipulated JavaScript files from three widely used WordPress plugins and distributed them via Content Delivery Network (CDN) to install administrative backdoors on over 1.2 million websites. Security firm Sansec discovered the supply chain attack on Awesome Motive’s PushEngage, OptinMonster, and TrustPulse plugins in June 2026.
The attacker modified trusted JavaScript files delivered via CDN to customer websites. The malicious script remained inactive during normal page visits by regular visitors and was selectively executed only when a logged-in WordPress administrator loaded the page. The malicious code exploited this administrative session to covertly create a new administrator account with full access rights and install a hidden plugin. Since these activities occur outside the WordPress dashboard, detection through the regular administration interface is not possible.
For PushEngage, the files pushengage-web-sdk.js and pushengage-subscription.js were manipulated. The hidden plugin functions as a web shell and opens a permanent remote control channel through which attackers can read files, copy databases, or inject credit card skimmers. The manipulated scripts were active for OptinMonster and TrustPulse on June 12, 2026 for only about 25 minutes (22:17–22:42 UTC), while the compromise at PushEngage lasted several hours and was traceable on some CDN servers until June 14, 2026. PushEngage confirmed the incident and replaced affected files, cleared the CDN cache, and exchanged access keys. No official statement has been issued by OptinMonster or TrustPulse.
The exact attack vector is disputed. PushEngage attributes the compromise to a known security vulnerability in the backup plugin UpdraftPlus, through which attackers allegedly obtained an API key for the CDN. Sansec disputes this claim and sees Awesome Motive’s servers as a more likely entry point. A known vulnerability in UpdraftPlus with CVE-ID CVE-2026-10795 was rated with a severity score of 8.1 by Wordfence; however, a direct connection to this incident has not been independently confirmed.
To check for possible compromise, administrators should inspect the file system server-side and search the wp-content/plugins directory for unauthorized folders such as “content-delivery-helper” or “database-optimizer”. In addition, any created administrator accounts such as “developer_api1” or accounts with the “dev_” prefix must be reviewed and removed. If infection indicators are found, all administrative passwords, API keys, database credentials, and secret keys in the wp-config.php file must be renewed.
Source: www.it-daily.net · Published June 15, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.