OptinMonster Hack Exposes 1.2M WordPress Plugin Million

A significant supply chain attack has potentially exposed over 1.2 million websites to compromise. The incident targeted widely used WordPress plugins, with attackers injecting malicious code into legitimate JavaScript files. These compromised files were then distributed through trusted content delivery network (CDN) infrastructure.

Security researchers at Sansec discovered an ongoing campaign targeting plugins developed by Awesome Motive, including OptinMonster, TrustPulse, and PushEngage.

These plugins are installed on millions of WordPress sites worldwide, with OptinMonster alone surpassing one million active installations.

Rather than attacking individual websites directly, threat actors compromised upstream JavaScript files hosted on Awesome Motive’s CDN.

Any website loading these scripts unknowingly executed the injected malware, making this attack comparable to previous large-scale supply chain incidents.

The malicious payload is designed to remain stealthy and only activates when a WordPress administrator is logged in. It avoids execution in headless browsers and automated environments, significantly reducing the chances of detection during routine scans.

OptinMonster Plugin Hack Exposes

Once triggered, the script identifies the WordPress admin environment, gathers site metadata, and extracts authentication tokens from REST and AJAX endpoints.

Using these tokens, the malware attempts to create unauthorized administrator accounts through multiple methods, including REST API calls and form submissions.

The injected scripts were served through legitimate domains such as:

• a.omappapi.com
• a.opmnstr.com
• a.optnmstr.com
• a.trstplse.com
• clientcdn.pushengage.com

It establishes persistence by deploying both a fixed account named developer_api1 and additional randomized accounts following the dev_xxxxxx pattern.

The stolen credentials, along with site details, are encrypted and transmitted to a command-and-control server hosted on the domain tidio.cc, which mimics a legitimate service to evade suspicion.

To maintain long-term access, the attackers install a hidden backdoor plugin that is engineered to evade detection. The plugin conceals itself from the WordPress dashboard, API responses, update mechanisms, and activity logs.

It provides attackers with full remote control of compromised websites by enabling arbitrary command execution and remote code execution through specially crafted requests.

Indicators of Compromise

Organizations should check for the following:

• Suspicious domains: tidio.cc (84.201.6.54).
• Rogue admin accounts: developer_api1 or dev_xxxxxx.
• Hidden plugins: content-delivery-helper or database-optimizer.
• Unique string: jX9kM2nP4qR6sT8v (XOR key).

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Sansec researchers observed that the plugin frequently changes its disguise, appearing as legitimate tools such as “Content Delivery Helper” or “Database Optimizer.”

Active exploitation has been confirmed, with Patchstack blocking hundreds of attempts to create rogue administrator accounts across multiple sites, indicating real-world abuse of the backdoor.

According to Awesome Motive, the incident was caused by the exploitation of a vulnerability in the UpdraftPlus plugin.

Attackers reportedly gained access to a server hosting marketing infrastructure, retrieved a CDN API key, and used it to inject malicious code into files distributed to customers.

The company has since removed the malicious scripts, rotated credentials, purged CDN caches, and migrated affected systems to new infrastructure.

Administrators using the affected plugins are strongly advised to assume potential compromise if a logged-in admin session occurred during the attack window.

Immediate steps should include auditing all administrator accounts for unauthorized entries, scanning the filesystem directly for hidden plugins, and rotating all credentials.

Since the malware activates only during authenticated admin sessions, server-side inspection remains one of the most effective detection methods.

This incident highlights the growing threat of supply chain attacks in the WordPress ecosystem, where compromising a single trusted source can lead to widespread impact across millions of websites.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.