The incident affected OptinMonster, TrustPulse and PushEngage, products operated under the Awesome Motive umbrella and embedded on sites for pop-ups, lead generation, social proof alerts and push notifications. The compromise did not arrive through a normal plugin update. Instead, malicious code was appended to legitimate front-end scripts delivered through vendor-controlled content delivery network endpoints, meaning fully patched websites could still have loaded the poisoned files.
The injected script was designed to stay quiet for ordinary visitors. It activated only when a logged-in WordPress administrator loaded an affected page, then used that session to collect valid security tokens and make requests that looked like legitimate administrative actions. Once triggered, it attempted to create a new administrator account, install a self-hiding plugin and transmit credentials and site details to an attacker-controlled lookalike domain, tidio. cc, which mimicked the legitimate tidio. com brand.
The fixed operator account identified in the campaign was developerapi1 using the email customer1usx@gmail. com, while most observed attempts used randomised devxxxxxx administrator identities. The backdoor plugin rotated names, including “Content Delivery Helper” and “Database Optimizer”, and was built to hide from plugin lists, user lists, update checks and common dashboard views. It also exposed a web shell capable of running server commands and a separate code-execution endpoint.
The exposure window varied across products. Malicious code was seen in OptinMonster and TrustPulse script files late on June 12 UTC and was removed within a short window, while PushEngage’s affected scripts were served for several hours on June 12 and continued from some CDN edge locations into June 14. The companies have since said the altered files were removed, CDN caches purged and credentials rotated, but those steps do not remove backdoors already planted on customer websites.
OptinMonster has more than 1 million active WordPress installations, while PushEngage lists more than 9,000 active installations. OptinMonster’s own marketing says more than 1.2 million users rely on the service. WordPress remains the dominant content management system, powering about 41.5 per cent of all websites and 59.3 per cent of sites whose content management system can be identified, making plugin supply-chain incidents unusually wide in reach.
Vendor notices attributed the breach to an attacker gaining access to a marketing website server through a known vulnerability in UpdraftPlus, a backup and migration plugin, and then finding a CDN API key on that server. They said application servers, source code repositories and customer-data systems were hosted separately and showed no evidence of access. Security researchers have treated the initial entry point as still needing full corroboration, while agreeing that the critical abuse path was control over scripts delivered from trusted CDN locations.
The UpdraftPlus issue cited in the notices is tracked as CVE-2026-10795 and affects versions up to and including 1.26.4 in specific circumstances involving UpdraftCentral connections. It allows unauthenticated attackers to run remote procedure calls as a connected administrator, potentially uploading and activating malicious plugins. The flaw has been patched, but its appearance in the same chronology highlights the layered risk created when a plugin, a marketing site and a CDN key intersect.
Firewall telemetry from protected sites showed 271 blocked exploitation attempts across 13 websites over about 36 hours on June 14 and 15, from 81 unique IP addresses. Most attempts used the WordPress REST users endpoint, matching the payload’s effort to create an administrator account under cover of a genuine admin session.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
