WordPress Plugin Supply-Chain Backdoor: PushEngage & OptinMo
🟠 High | Source: The Hacker News Attackers tampered with JavaScript files distributed by three popular WordPress plugins — PushEngage, OptinMonster, and TrustPulse — injecting malicious code that creates a rogue admin account and installs a hidden backdoor plugin when a logged-in administrator loads the compromised script. The attack is a supply-chain compromise targeting the plugin delivery mechanism rather than WordPress itself, meaning sites that kept plugins updated may still have been affected. Any site running these plugins while an admin was active during the compromise window should be treated as potentially backdoored. ...