WordPress Plugins Hacked: Hidden Backdoors Planted on 1.2M Sites

A coordinated supply chain attack compromised JavaScript files served by three popular WordPress plugins—PushEngage, OptinMonster, and TrustPulse—turning trusted scripts into vectors for backdoor installation. Security firm Sansec disclosed the campaign on June 13, 2026, revealing that attackers tampered with CDN-served scripts to silently create rogue admin accounts and install hidden plugins whenever a logged-in WordPress administrator loaded the poisoned code. All three plugins are owned by Awesome Motive, which had not publicly commented on the OptinMonster or TrustPulse incidents as of June 15. PushEngage confirmed the breach a day later, advising affected users to treat their sites as fully compromised.

The attack windows varied significantly by plugin. Sansec detected the malicious code in OptinMonster and TrustPulse scripts for roughly 25 minutes on June 12 (22:17 to 22:42 UTC), while PushEngage's exposure was considerably longer—spanning several hours on June 12 and persisting on some CDN edge servers into June 14. Despite the shorter compromise window, OptinMonster alone serves over one million active installs, and combined the three plugins reach an estimated 1.2 million sites. The tampered PushEngage files, pushengage-web-sdk.js and pushengage-subscription.js, were distributed via clientcdn.pushengage.com, with separate Awesome Motive CDN endpoints delivering the poisoned OptinMonster and TrustPulse scripts.

The payload was specifically engineered to evade detection: it activated only when a WordPress administrator with active session cookies loaded the script, then leveraged those full admin privileges to create a new admin account under attacker control and install a stealth plugin invisible in the dashboard. PushEngage reported that no other systems or customer data stores were accessed. Because the backdoor deliberately avoids the WordPress admin interface, administrators cannot rely on dashboard checks to confirm a compromise—port scanner and server-side file integrity analysis are the only reliable verification methods. Site owners using any of the three plugins should immediately audit user accounts, review installed plugins at the filesystem level, and rotate all administrator credentials.

Administrators should also verify the integrity of their TLS connections to the affected CDN endpoints using our SSL/TLS checker, and confirm whether any admin email addresses appear in known exposures via the email breach checker. Supply chain compromises like this underscore the risk of third-party script dependencies—any external JavaScript loaded into an authenticated session becomes a potential attack surface, regardless of the vendor's reputation.