Attackers tampered with JavaScript files distributed by three popular WordPress plugins — PushEngage, OptinMonster, and TrustPulse — injecting malicious code that creates a rogue admin account and installs a hidden backdoor plugin when a logged-in administrator loads the compromised script. The attack is a supply-chain compromise targeting the plugin delivery mechanism rather than WordPress itself, meaning sites that kept plugins updated may still have been affected. Any site running these plugins while an admin was active during the compromise window should be treated as potentially backdoored.

Security Architect’s Take: Audit all WordPress sites running PushEngage, OptinMonster, or TrustPulse for unexpected admin accounts and unauthorised plugins created during the suspected compromise window, and consider implementing subresource integrity (SRI) checks or a web application firewall rule to alert on unexpected script modifications from third-party plugin CDNs.

Original advisory: Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites