Supply Chain Attack Hits Popular WordPress Plugins Through Awesome Motive CDN

Attackers compromised Awesome Motive CDN files, backdooring WordPress sites running OptinMonster, TrustPulse, and PushEngage.

Sansec researchers discovered an active supply chain attack hitting WordPress sites running OptinMonster, TrustPulse, and PushEngage, three plugins operated by Awesome Motive, one of the largest WordPress plugin companies in the world.

The malicious JavaScript wasn’t sitting on any victim’s server. It was injected into files served directly from Awesome Motive’s own CDN endpoints, meaning every site that loaded those scripts pulled the tampered version straight from the source, with no warning and no way to discover the attack.

“Attackers added malicious JavaScript to the legitimate files served by Awesome Motive, which are embedded in their customer’s sites.” reads the report published by Sansec.

The attack follows the exact same pattern as the Polyfill supply chain attack that Sansec uncovered in 2024.

“The malicious code did not live on any victim’s own server but was injected via Awesome Motive’s CDN endpoints.” continues the report. “This resembles the Polyfill supply chain attack that Sansec discovered in 2024: tamper with a single upstream file, and the malware reaches thousands of downstream sites without ever touching them individually.”

OptinMonster alone has over a million active WordPress installations. Add TrustPulse and PushEngage and the exposure surface becomes very large very fast.

According to the researchers, the injected code is carefully written to avoid detection. It exits immediately if it detects a headless browser, a web driver, or a zero-size window. It only proceeds if it finds a logged-in WordPress administrator, checking for wp-admin paths, the admin toolbar, or the wordpress_logged_in_ cookie. A 24-hour throttle stored in localStorage prevents it from firing repeatedly during the same session.

Once it confirms it’s looking at a real admin, it gets to work. It locates the WordPress installation root, fingerprints the version, and harvests authentication tokens from multiple sources, including the REST API settings and the admin AJAX endpoint. Then it creates a backdoor administrator account using four separate fallback methods in sequence: the user registration form, admin-ajax.php, the REST API users endpoint, and finally a hidden iframe form submission.

It even recognizes “user already exists” error messages in roughly twenty languages. The fixed account it plants is developer_api1 with the email [email protected], alongside randomized dev_xxxxxx accounts for variety.

All the stolen data, credentials, site address, admin path, and WordPress version, gets scrambled with a simple encryption key, converted to text, and quietly sent to tidio.cc. That domain was registered on April 28 specifically to look like tidio.com, the real chat platform most people wouldn’t think twice about seeing in network traffic.

“The new admin user:password, site origin, logout URL, admin path, method, timing and WordPress version are XOR-encrypted (key jX9kM2nP4qR6sT8v), base64-encoded, and sent to tidio.cc/cdn-cgi/*.” states the report. “Delivery falls back through sendBeacon, then fetch (no-cors), then XHR, then an Image().src beacon.”

Four separate delivery mechanisms in sequence, because the attacker didn’t want a single failed network request to stop the exfiltration.

The backdoor plugin that gets silently installed is the part that should make any WordPress administrator nervous. It hides itself from the plugin list on the admin dashboard, from the REST API plugins endpoint, from update checks, and from the recently active list. It exposes two unauthenticated entry points: one opens a web shell called “WPM File Manager & Shell” that runs arbitrary system commands and accepts file uploads, the other runs arbitrary PHP code via eval.

“The plugin that gets installed is built to disappear. It hides itself from the user list, the plugin list (both the admin screen and the REST /wp/v2/plugins endpoint), update checks, and the “recently active” list.” warns Sansec. “The operator rotates the plugin’s disguise while keeping the logic byte-identical across renames. We have observed it shipping as ‘Content Delivery Helper’ (content-delivery-helper, v2.7.1) and, currently, as ‘Database Optimizer’ (database-optimizer, v2.9.4).”

The plugin ZIP is generated fresh on each request, so file hashes change constantly while the functionality stays identical.

The timeline is tight. The C2 domain tidio.cc was registered April 28. The first verified malicious code appeared in OptinMonster and TrustPulse CDN files at 22:17 UTC on June 12. By 22:42 those two were clean. PushEngage kept serving the injected code until June 14. The C2 server remained live and generating fresh payloads throughout.

Awesome Motive’s broader portfolio includes WPForms with over six million active installs, MonsterInsights with around two million, and All in One SEO with around three million. Only OptinMonster, TrustPulse, and PushEngage have confirmed compromised code so far, but anyone running any Awesome Motive plugin should treat this as an active incident until the company provides a full account of what happened. Sansec reached out to Awesome Motive and received no response.

If you had any of the affected plugins installed and an admin was logged in during the injection window, the damage is already done. Check your user list for developer_api1 and any dev_xxxxxx accounts and remove them. Then check the filesystem under wp-content/plugins directly, not the admin dashboard, for content-delivery-helper or database-optimizer directories. The plugin actively hides from the UI, so the dashboard will lie to you.

The WordPress cybersecurity firm also provided indicators of compromise (IoCs) for this campaign.

“If you find any indicators of compromise: rotate every admin password and secret, and assume the attacker has had unauthenticated code execution.” concludes the report. “Because the payload only ever ran for logged-in admins, server-side scanning is one of the most reliable ways to catch it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Supply Chain Attack)