Attackers have hijacked the code behind several popular WordPress plugins to plant hidden backdoors and rogue administrator accounts on as many as 1.2 million sites.

The supply-chain attack, detailed by Dutch malware research firm Sansec on June 13, tampered with JavaScript served for OptinMonster, TrustPulse and PushEngage, three plugins run by WordPress vendor Awesome Motive.

Rather than living on victim servers, the malicious code rode in through Awesome Motive's own delivery network, so any site loading the scripts pulled the tampered files straight from the source.

The payload stays dormant until a logged-in administrator loads a page, leaving ordinary visitors untouched, for now.

Read more on WordPress backdoor plugins: New WordPress Malware Masquerades as Plugin

From Tampered Script to Rogue Admin

When an admin is detected, the script springs into action. It creates a fresh administrator account, installs a self-hiding backdoor plugin to keep its grip, then ships the new credentials to a lookalike of the legitimate chat service tidio.com.

OptinMonster alone runs on more than a million sites, with TrustPulse and PushEngage adding the rest. Because the attacker effectively owns each compromised site, Sansec warned that abuse of regular visitors is likely to follow.

The firm likened the campaign to the 2024 Polyfill attack, in which poisoning a single upstream file affected thousands of downstream sites.

How the attackers got in remains unclear: the firm said Awesome Motive's own servers, its CDN account or, less likely, the BunnyNet network behind it could be the entry point.

A Short Exposure Window

The exposure windows look short. Sansec logged the tampered OptinMonster and TrustPulse code for about half an hour late on June 12 before it disappeared, a hint the vendor had noticed, though the PushEngage script was still serving malware on June 13.

Only the three plugins are confirmed compromised, yet Awesome Motive's reach runs far wider, spanning tens of millions of sites through products such as:

• WPForms, with more than six million installs

• All in One SEO, on around three million

• MonsterInsights, on roughly two million

None of those is a confirmed hit, but Sansec urged anyone running an Awesome Motive plugin to watch for unfamiliar admin accounts and traffic to tidio[.]cc, and to act fast if either shows up.

Infosecurity has reached out to Awesome Motive for comment.