OptinMonster CDN Attack Exposed 1.2 Million WordPress Sites to Possible Takeover

A supply chain attack involving OptinMonster, TrustPulse, and PushEngage exposed more than 1.2 million WordPress sites to possible takeover after attackers tampered with JavaScript files served from trusted CDN infrastructure.

Security firm Sansec said the malicious code was added to legitimate files loaded by sites using the Awesome Motive-owned plugins. The payload did not target ordinary visitors. It activated only when a logged-in WordPress administrator loaded an affected page.

Once active, the script attempted to use the administrator’s own session to create rogue admin accounts, install a hidden backdoor plugin, and send site details to attacker-controlled infrastructure. OptinMonster said its application servers, source code, and customer account systems were hosted separately and showed no evidence of unauthorized access.

How the OptinMonster Supply Chain Attack Worked

The incident was not a typical WordPress plugin vulnerability where attackers exploit outdated code on each customer site. Instead, attackers modified JavaScript files that customer websites already trusted and loaded from vendor-controlled CDN domains.

According to the official OptinMonster incident notice, an attacker gained access to a CDN credential stored on a separate marketing website server. The company said the attacker then used that credential to serve a tampered version of the JavaScript file used by OptinMonster and TrustPulse customers.

PushEngage published a separate notice with similar findings. It said the affected PushEngage scripts were served from CDN edge locations for several hours on June 12, 2026, and for a subset of users until June 14, 2026.

Affected Products and Reported Risk

Product	What was affected	Reported risk
OptinMonster	CDN-hosted front-end JavaScript	Rogue admin account creation and hidden backdoor installation if an admin was logged in during the exposure window
TrustPulse	CDN-hosted front-end JavaScript	Same admin-session takeover risk reported for OptinMonster
PushEngage	CDN-hosted web push scripts	Similar attack flow, with some CDN edge exposure reportedly lasting longer

The main risk came from the way the malicious script used valid administrator cookies and WordPress security tokens. Because the browser of a real logged-in admin made the requests, some activity could look similar to normal administrator actions at the network level.

Patchstack said its mitigation rule blocked 271 exploitation attempts across 13 customer sites between June 14 and June 15. Most of those attempts targeted the WordPress REST API endpoint used to create new users.

The attack also shows why fully updated WordPress sites can still be affected by third-party script compromise. In this case, the customer site did not need to install a malicious plugin update. It only needed to load the affected vendor script while an administrator was signed in.

What the Malware Tried to Do

The injected script first checked whether it was running inside a real browser and a WordPress administrator context. It avoided headless browsers and automated environments, which made the campaign harder to catch through basic scanning.

After confirming that a logged-in admin was present, the script gathered WordPress nonces and other session data needed to act with administrator privileges. It then attempted to create a new administrator account through several routes, including the REST API, the new-user admin form, AJAX requests, and a hidden iframe submission.

The known rogue account names include developer_api1 and randomized dev_xxxxxx accounts. The malware also attempted to install a self-hiding backdoor plugin that could disappear from the WordPress dashboard and expose command execution features.

Indicators of Compromise

• Suspicious account names: developer_api1 or dev_xxxxxx
• Suspicious plugin folders: content-delivery-helper or database-optimizer
• Backdoor names: Content Delivery Helper or Database Optimizer
• Suspicious command-and-control domain: tidio[.]cc
• Suspicious IP address: 84.201.6[.]54
• Unique malware string: jX9kM2nP4qR6sT8v
• Backdoor shell label: WPM File Manager & Shell

Site owners should not rely only on the WordPress dashboard to check for compromise. Both the vendor notices and security researchers warned that the backdoor plugin was designed to hide from admin screens.

Admins should inspect the server filesystem directly, especially the wp-content/plugins directory. They should also review administrator accounts, server logs, and outbound traffic for the known indicators listed above.

Sansec’s research also warned that the backdoor could give attackers broad control over a compromised site. That means deleting only one rogue account may not be enough if the attacker already gained code execution.

What WordPress Site Owners Should Do Now

Any site that used OptinMonster, TrustPulse, or PushEngage during the reported exposure window should check whether a WordPress administrator was logged in at the time. If that cannot be confirmed, admins should still audit the site.

1. Check all administrator accounts and remove any accounts you did not create.
2. Inspect wp-content/plugins directly on the server for hidden or suspicious plugin folders.
3. Run a server-side malware scan rather than relying only on dashboard checks.
4. Review web server logs for suspicious requests related to user creation, plugin upload, or the listed indicators.
5. Rotate administrator passwords, API keys, database credentials, and WordPress salts if any sign of compromise appears.
6. Block known attacker infrastructure at the DNS, firewall, or network layer where appropriate.
7. Enable two-factor authentication for all administrator accounts.

The latest PushEngage security notice says the company reverted the affected CDN files, purged the CDN cache, rotated credentials, and moved the marketing site to new infrastructure. However, vendor-side remediation does not remove backdoors already installed on customer websites.

The same warning applies to OptinMonster and TrustPulse users. If the malicious code ran while an administrator was logged in, the site may still contain a rogue account or hidden plugin until the owner removes it.

Why This Attack Matters

This incident highlights a difficult problem for WordPress security. Many websites load third-party scripts from trusted vendors, and those scripts often run with enough access to affect real site behavior.

When a vendor CDN account is compromised, attackers can reach many downstream websites without logging in to each one. This makes supply chain security, credential isolation, CDN key rotation, and server-side monitoring more important for plugin vendors and site owners.

The Patchstack analysis said the attack used the administrator’s own authenticated session, which made malicious requests harder to distinguish from legitimate admin actions. That is why known attacker fingerprints, server-side scanning, and filesystem checks matter more than a quick dashboard review.

FAQ