Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

Attackers compromised trusted JavaScript files belonging to three major WordPress plugins, injecting malicious code designed to create backdoor access on affected websites.

The tampered files belonged to PushEngage, OptinMonster, and TrustPulse, all widely deployed plugins across WordPress installations. The injected code operated with precision, executing only when a site administrator loaded the malicious script. Upon detection of an admin session, the payload created a hidden administrator account under attacker control and deployed a concealed plugin to establish persistent access.

This approach minimized detection risk. Regular website visitors who accessed the pages containing the compromised code did not trigger the malicious payload, leaving the compromise invisible to most traffic. Only administrators with proper credentials encountered the activation condition, making the attack difficult to spot during routine site monitoring.

The supply chain attack leveraged the inherent trust placed in established WordPress plugins. Administrators automatically load these JavaScript files, creating an ideal infection vector. Once a backdoor administrator account existed, attackers could modify site content, harvest data, or pivot toward other infrastructure without requiring further access attempts.

The attack underscores a critical vulnerability in plugin-dependent systems. WordPress powers over 40 percent of all websites globally, and plugins like OptinMonster and PushEngage count millions of active installations. A single compromise of trusted plugin code affects every dependent site simultaneously.

Organizations running these plugins should immediately audit administrator accounts for unfamiliar entries and review installed plugins for suspicious additions. Site owners should update these plugins to patched versions and reset all administrative credentials. Website administrators should also review access logs for the period when the malicious code was active.

The incident highlights the ongoing risk of supply chain contamination. Attackers increasingly target plugin repositories and code delivery networks rather than individual sites, multiplying the impact of a single successful intrusion. Security teams must treat plugin updates with heightened scrutiny and consider supplementary monitoring