OptinMonster Plugin Hack Exposes 1.2 Million WordPress Sites to Cyberattack

A large-scale supply chain attack targeting widely used WordPress plugins has exposed more than 1.2 million websites to potential compromise after attackers injected malicious code into legitimate JavaScript files distributed through trusted CDN infrastructure.

Security researchers at Sansec discovered an ongoing campaign targeting plugins developed by Awesome Motive, including OptinMonster, TrustPulse, and PushEngage.

These plugins are installed on millions of WordPress sites worldwide, with OptinMonster alone surpassing one million active installations.

Rather than attacking individual websites directly, threat actors compromised upstream JavaScript files hosted on Awesome Motive’s CDN.

Any website loading these scripts unknowingly executed the injected malware, making this attack comparable to previous large-scale supply chain incidents.

The malicious payload is designed to remain stealthy and only activates when a WordPress administrator is logged in. It avoids execution in headless browsers and automated environments, significantly reducing the chances of detection during routine scans.

OptinMonster Plugin Hack Exposes

Once triggered, the script identifies the WordPress admin environment, gathers site metadata, and extracts authentication tokens from REST and AJAX endpoints.

Using these tokens, the malware attempts to create unauthorized administrator accounts through multiple methods, including REST API calls and form submissions.

The injected scripts were served through legitimate domains such as:

• a.omappapi.com
• a.opmnstr.com
• a.optnmstr.com
• a.trstplse.com
• clientcdn.pushengage.com

It establishes persistence by deploying both a fixed account named developer_api1 and additional randomized accounts following the dev_xxxxxx pattern.

The stolen credentials, along with site details, are encrypted and transmitted to a command-and-control server hosted on the domain tidio.cc, which mimics a legitimate service to evade suspicion.

To maintain long-term access, the attackers install a hidden backdoor plugin that is engineered to evade detection. The plugin conceals itself from the WordPress dashboard, API responses, update mechanisms, and activity logs.

It provides attackers with full remote control of compromised websites by enabling arbitrary command execution and remote code execution through specially crafted requests.

Indicators of Compromise

Organizations should check for the following:

• Suspicious domains: tidio.cc (84.201.6.54).
• Rogue admin accounts: developer_api1 or dev_xxxxxx.
• Hidden plugins: content-delivery-helper or database-optimizer.
• Unique string: jX9kM2nP4qR6sT8v (XOR key).

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Sansec researchers observed that the plugin frequently changes its disguise, appearing as legitimate tools such as “Content Delivery Helper” or “Database Optimizer.”

Active exploitation has been confirmed, with Patchstack blocking hundreds of attempts to create rogue administrator accounts across multiple sites, indicating real-world abuse of the backdoor.

According to Awesome Motive, the incident was caused by the exploitation of a vulnerability in the UpdraftPlus plugin.

Attackers reportedly gained access to a server hosting marketing infrastructure, retrieved a CDN API key, and used it to inject malicious code into files distributed to customers.

The company has since removed the malicious scripts, rotated credentials, purged CDN caches, and migrated affected systems to new infrastructure.

Administrators using the affected plugins are strongly advised to assume potential compromise if a logged-in admin session occurred during the attack window.

Immediate steps should include auditing all administrator accounts for unauthorized entries, scanning the filesystem directly for hidden plugins, and rotating all credentials.

Since the malware activates only during authenticated admin sessions, server-side inspection remains one of the most effective detection methods.

This incident highlights the growing threat of supply chain attacks in the WordPress ecosystem, where compromising a single trusted source can lead to widespread impact across millions of websites.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.