OptinMonster WordPress Plugin Hacked in Supply-Chain Attack – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

OptinMonster WordPress Plugin Hacked

Popular WordPress plugins OptinMonster, TrustPulse, and PushEngage have been compromised in a supply-chain attack on their parent company Awesome Motive's content distribution network (CDN). The attack aimed to steal admin sessions and form data via a malicious JavaScript file.

A conceptual image showing a broken chain link with the WordPress logo in the background.

What Happened

The WordPress ecosystem has been shaken by a major cyberattack targeting popular plugins trusted by millions of websites. According to information that became public on June 15, 2026, the plugins OptinMonster, TrustPulse, and PushEngage, all owned by the company Awesome Motive, fell victim to a sophisticated supply-chain attack carried out through the company's content distribution network (CDN). This attack resulted in the injection of malicious JavaScript code into websites using these plugins, designed to steal data from visitors and site administrators.

The incident was discovered by researchers at the cybersecurity firm Wordfence. The researchers noticed that a legitimate JavaScript file, which the plugins are supposed to load, had been replaced with a version containing a highly dangerous backdoor controlled by the attackers. This meant that sites using the plugin were automatically infected without the site owners having to make any changes or mistakes. The fact that code coming from a trusted source was actually malicious once again demonstrates how dangerous supply-chain attacks can be.

The attack reportedly began on June 12, 2026, and was contained by Awesome Motive's security teams on June 14, 2026. It is believed that a large number of WordPress sites running these popular plugins became targets for the attackers during this two-day window. After detecting the attack, the company acted quickly, disabling the affected CDN and ensuring that clean files were automatically distributed to all users. However, even this short period may have been enough for the attackers to collect a significant amount of data and gain control over sites.

Has your email been leaked? Check for free — results in seconds.

Check Now →

What Data Was Compromised

The primary goal of the attack was to exfiltrate sensitive information from the affected websites. The injected malicious JavaScript code was specifically designed to target two types of data: form data and administrator session cookies.

First, the code secretly monitored form submissions on the site. This means that whenever a visitor filled out a contact form, a newsletter subscription box, or any other data entry field, all the information entered was sent to the attackers' servers. The compromised data could include personal information such as:

  • Full names
  • Email addresses
  • Phone numbers
  • Any other private or sensitive information users entered into forms

The theft of this type of data can be used for phishing attacks, identity theft, and other fraudulent activities. Visitors, thinking they were submitting information to a trusted website, were actually handing their data directly to cybercriminals.

The second, and perhaps more dangerous, target was the session cookies of users logged into the WordPress admin panel. By stealing these cookies, attackers could hijack the sessions of site administrators. This allowed them to gain full access to the admin panel without needing to know the admin's password, simply by cloning the active session. There is almost no limit to what an attacker with admin access can do to a WordPress site. For example, they could create new, hidden administrator accounts, change the site's content, redirect visitors to malicious sites, install more persistent malware on the site, or turn the site into part of a botnet. In short, this method gave them complete control over the site.

How the Attack Happened

What makes this incident particularly alarming is the way the attack was executed. Unlike a classic website hack, this was a supply-chain attack. Instead of targeting thousands of individual websites one by one, the attackers targeted a single central point that these sites trusted: Awesome Motive's content distribution network (CDN).

A CDN is a service that hosts a website's static files, such as images, CSS, and JavaScript, on servers distributed worldwide, allowing the site to load faster. Most site owners trust these services and assume the files coming from them are secure. The attackers exploited this exact trust. They somehow managed to breach Awesome Motive's CDN and replaced one of the legitimate JavaScript files used by plugins like OptinMonster with a file containing their own malicious code.

According to the source report, the malicious code was being loaded from //app.feedbackwp.com/beta/sdk.js. Any WordPress site using these plugins would automatically call and execute this fake file when loading a page for a visitor. As a result, even if the site owner or visitor did nothing suspicious, the site began running the attackers' code in the background. The technical details of the attack, specifically how the attackers first gained access to the CDN, have not yet been made public. However, the consequences are very clear: an update or file from a trusted source served as a Trojan horse to infect thousands of websites simultaneously.

Who Is Affected

The direct victims of the attack were websites using three very popular WordPress plugins developed by Awesome Motive:

  • OptinMonster: A marketing plugin generally used to build email lists, generate leads, and increase conversion rates. It is known to be active on millions of websites.
  • TrustPulse: A marketing tool that creates social proof by showing visitors the actions of other users, such as purchases or sign-ups.
  • PushEngage: A service that allows websites to send push notifications to their visitors.

The common thread among these plugins is their large user base and their popularity with marketing-oriented sites. This means that the affected sites include a wide variety of platforms, such as e-commerce stores, blogs, news portals, and corporate websites. An official number for the total number of affected sites or users has not yet been released, but given the popularity of these plugins, it can be estimated that potentially hundreds of thousands, if not millions, of websites were at risk.

What You Can Do

If you use one of the OptinMonster, TrustPulse, or PushEngage plugins on your website, there are some steps you should take. Although Awesome Motive has stated that they have automatically rolled out clean files to resolve the issue, it is important to be cautious.

  1. Check Your Site's Source Code: Open your site in your browser, right-click, and select "View Page Source." Search for the string app.feedbackwp.com/beta/sdk.js in the code that appears. If you find this line, your site may still be loading the malicious code. The first step should be to clear your browser and site cache.
  2. Review WordPress Admin Users: Go to the "Users" section in your WordPress admin panel. Check for any administrator accounts that you do not recognize or that look suspicious. Attackers may have created a hidden admin account for themselves after hijacking your session. If you find a suspicious account, delete it immediately.
  3. Change Your Passwords: It is a good idea to change the passwords for all administrator and editor accounts. While session hijacking does not mean a direct password leak, this should be done as a precaution.
  4. Run a Security Scan on Your Site: Perform a full scan of your site using a WordPress security plugin like Wordfence, Sucuri, or MalCare. These tools can help you detect any other backdoors or malicious files that the attackers may have left behind.

What the Company Says

Following the incident, Awesome Motive issued a statement to its users and the public. The company confirmed that on June 14, 2026, its security teams detected and blocked unauthorized access to their CDN. In their statement, they mentioned that attackers had breached one of their servers and modified some JavaScript files. They emphasized that the CDN server that was the source of the problem was immediately taken offline and that clean files were automatically served to all customers.

According to the company, the issue is fully resolved, and customer sites are now serving the correct, secure files. Awesome Motive stated that they acted quickly to mitigate the impact of the incident and are enhancing their security measures to prevent similar events in the future. However, they did not share further technical details about the root cause of the attack or how the attackers gained access to the CDN.

Source

https://www.bleepingcomputer.com/news/security/optinmonster-wordpress-plugin-hacked-in-cdn-supply-chain-attack/

Share This Article
X LinkedIn WhatsApp
← Previous Post Infinite Campus Breach Hits 137K School Staff Accounts Next Post → Council of Europe Probes ShinyHunters Data Breach Claims

Weekly Newsletter

Curated data breach news delivered to your inbox every week.