A large scale web security incident involving trusted WordPress plugins has raised concerns after attackers tampered with JavaScript files associated with PushEngage, OptinMonster, and TrustPulse, potentially exposing websites to unauthorized access and hidden backdoors. Security researchers revealed that the malicious activity transformed legitimate scripts into a delivery mechanism capable of compromising websites running the affected plugins. The campaign specifically targeted WordPress administrators, activating only when a logged in administrator loaded the compromised script, while ordinary website visitors remained unaffected. Security experts have advised organizations operating affected plugins during the threat period to treat their websites as potentially compromised and perform immediate server side investigations.
Cybersecurity firm Sansec disclosed details of the broader campaign on 13 June 2026, identifying identical malicious code embedded within JavaScript files served across all three plugins. PushEngage later confirmed the incident in its own advisory, acknowledging that attackers had delivered tampered versions of its scripts that could enable website takeovers. All three plugins are operated by Awesome Motive, although as of 15 June 2026, official guidance had only been issued for PushEngage users, while OptinMonster and TrustPulse customers had yet to receive formal incident related communication. Investigators noted that the exposure period varied between the plugins. According to Sansec, malicious scripts associated with OptinMonster and TrustPulse remained active for approximately 25 minutes on 12 June, appearing around 22:17 UTC before disappearing by 22:42 UTC. PushEngage, however, experienced a longer exposure period lasting several hours on 12 June, with compromised files reportedly continuing to be served through some content delivery network servers into 14 June.
Researchers estimate that the three plugins collectively serve more than 1.2 million websites, with OptinMonster accounting for the majority through more than one million active installations, while PushEngage maintains over 9,000 WordPress installations. Security researchers emphasized that these figures represent plugin reach rather than confirmed compromise numbers. The attack relied on a targeted mechanism that only activated when a WordPress administrator visited a page containing the malicious script. Once executed, the code reportedly used the administrator’s active session to create a new administrative account controlled by the attacker, install a hidden plugin invisible within WordPress dashboards, and transmit newly generated login credentials along with site information to a suspicious domain, tidio.cc, which was reportedly designed to imitate a legitimate service. Researchers found that the hidden plugin served as a web shell capable of enabling remote command execution, allowing attackers to read or modify files, access databases, install additional malicious tools, redirect website traffic, or steal sensitive information.
Questions remain regarding how attackers initially gained access to the environment used to distribute the malicious scripts. PushEngage stated that the compromise originated from a separate server supporting its marketing website through exploitation of a known UpdraftPlus plugin vulnerability, allowing attackers to obtain a content delivery network API key and manipulate distributed files without breaching core systems or customer databases. However, Sansec stated that the precise entry point remains uncertain, suggesting that infrastructure linked to Awesome Motive could still represent a possible source of compromise, while discounting direct involvement from the content delivery provider. Security researchers also referenced CVE 2026 10795, an authentication bypass vulnerability affecting UpdraftPlus that has since been patched and rated high severity. Experts advised organizations operating any of the affected plugins during the incident period to conduct server side scans, inspect plugin directories for suspicious files, review access logs for communication with malicious domains, and rotate passwords, credentials, API keys, and security configurations if compromise indicators are detected.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
