Compromised Awesome Motive CDN Backdoored WordPress Sites via Popular Plugins
Attackers tampered with JavaScript served from Awesome Motive infrastructure for the widely used WordPress plugins OptinMonster, TrustPulse, and PushEngage, triggering a supply-chain compromise that Sansec said exposed more than 1.2 million sites. The malicious code activated only when a logged-in WordPress administrator visited an affected site, then stole authentication data, exfiltrated site details to the typosquatted domain tidio.cc, created rogue administrator accounts, and deployed a stealth plugin designed to hide from normal WordPress administrative views.
Researchers said the hidden plugin provided unauthenticated remote code execution through a web shell and an eval-style endpoint, effectively giving attackers arbitrary PHP execution on compromised servers. Sansec verified malicious code in OptinMonster and TrustPulse CDN files beginning June 12 and said those paths were later cleaned, while some PushEngage CDN edges continued serving infected code until June 14; the exact initial compromise point remains unknown, but the distribution path ran through Awesome Motive-operated domains via BunnyNet CDN. Defenders were urged to treat any affected site with an administrator logged in during the exposure window as fully compromised, remove rogue users, search for hidden plugin directories, and rotate all administrator credentials and secrets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Awesome Motive remediates server and rotates compromised credentials
Awesome Motive said it remediated the compromised marketing server, migrated the marketing site, and rotated credentials after the supply-chain attack. The company also stated that production systems, source code, and customer account data were not breached.
OptinMonster links attack to UpdraftPlus exploit and stolen CDN API key
According to OptinMonster’s disclosure, the supply-chain attack began when an attacker exploited a vulnerability in the UpdraftPlus plugin on OptinMonster’s marketing website and stole a CDN API key. The attacker then used that key to alter JavaScript files served from the vendor CDN to downstream WordPress sites.
PushEngage continues serving malicious code until June 14
Sansec reported that the PushEngage plugin continued delivering malicious code from some CDN edges until June 14, 2026, after the other affected plugin paths were removed. This extended the exposure window for downstream WordPress sites using the compromised asset.
Sansec discloses active supply-chain attack affecting WordPress plugins
On June 13, 2026, Sansec reported an active supply-chain compromise impacting more than 1.2 million WordPress sites via Awesome Motive infrastructure serving OptinMonster, TrustPulse, and PushEngage assets. Sansec said OptinMonster and TrustPulse paths had been cleaned on some edges, but PushEngage was still serving infected code and warned exposed sites should be treated as fully compromised.
Malicious code first appears in OptinMonster and TrustPulse CDN files
Sansec said the first verified malicious JavaScript was served on June 12, 2026 through Awesome Motive CDN-hosted files for the OptinMonster and TrustPulse WordPress plugins. The injected code targeted logged-in WordPress administrators, stole authentication data, created rogue admin accounts, and installed a hidden backdoor plugin.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
OptinMonster Plugin Hack Exposes 1.2 Million Wordpress Sites to Cyberattack
cybersecuritynews.com
Open sourcePopular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites
thehackernews.com
Open sourceAttackers compromised Awesome Motive CDN files, backdooring WordPress sites running OptinMonster, TrustPulse, and PushEngage
securityaffairs.com
Open sourceOptinMonster Supply Chain Attack - CDN Poisoning at Scale - TheCyberThrone
thecyberthrone.in
Open sourceOptinMonster WordPress plugin hacked in CDN supply-chain attack
bleepingcomputer.com
Open sourceOptinMonster supply chain attack hits 1.2 million sites | Sansec
sansec.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Backdoored Essential Plugin WordPress Add-ons Compromised Thousands of Sites
A supply-chain attack hit the **Essential Plugin** WordPress portfolio after the plugin business was reportedly acquired by a new owner who inserted a hidden backdoor into trusted add-ons used by thousands of websites. Researchers said the malicious code was added to `Countdown Timer Ultimate` version `2.6.7` in August 2025 as a PHP deserialization backdoor, then left dormant for about eight months before activating in early April 2026. Once triggered, affected sites contacted `analytics.essentialplugin.com`, received additional payloads, and had malicious code written into `wp-config.php`. The compromise allowed attackers to serve hidden spam links, fake pages, and redirects to Googlebot while remaining largely invisible to site owners. WordPress.org subsequently closed all **31** Essential Plugin entries in the plugin directory and pushed version `2.6.9.1` to remove the phone-home behavior, but reports warned that the update did **not** clean already-compromised `wp-config.php` files. Hosting providers and researchers urged administrators to manually inspect and remove any still-installed malicious plugins and persistence left on their servers, underscoring the risk that plugin ownership changes can turn established WordPress software into a malware distribution channel.
Apr 16, 2026
Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple **WordPress plugins** were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including **WP Duplicate**, **Ninja Forms File Upload**, **Ultimate Member**, **Product Addons for WooCommerce**, **CleanTalk Spam Protect**, **Ally**, **Perfmatters**, and **Kali Forms**, alongside identifiers such as **`CVE-2024-48930`**, **`CVE-2025-13192`**, and **`CVE-2026-1104`**. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise. Wordfence reports indicate the exposure spans **hundreds of thousands of WordPress sites**, with some bugs already under **active exploitation**. The most serious cases include an unauthenticated SQL injection flaw in the **Ally** plugin affecting roughly **400,000 sites**, an arbitrary file deletion issue in **Perfmatters** affecting about **200,000 sites**, and active attacks targeting a critical flaw in **Kali Forms**. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
May 25, 2026
Mass Exploitation of Critical RCE Flaws in WordPress GutenKit and Hunk Companion Plugins
Hackers have launched a large-scale exploitation campaign targeting WordPress websites using vulnerable versions of the GutenKit and Hunk Companion plugins. Security researchers report that over 8.7 million attack attempts were blocked in just two days, with attackers leveraging three critical vulnerabilities—CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972—to achieve remote code execution (RCE) by installing arbitrary plugins without proper authentication or authorization. Despite patches being released for these flaws in late 2024, a significant number of websites remain unpatched and exposed to these attacks. Threat actors are distributing a malicious plugin archive named 'up' via GitHub, which contains obfuscated scripts capable of uploading, downloading, and deleting files, as well as changing permissions on compromised sites. One script, disguised as a component of the All in One SEO plugin, enables attackers to automatically log in as administrators, facilitating persistence and further malicious activity. Website owners are urged to update to GutenKit 2.1.1 and Hunk Companion 1.9.0 or later to mitigate the risk of compromise from these ongoing mass exploitation attempts.
Mar 21, 2026