WordPress Plugin Supply-Chain Attack Plants Hidden Admin Backdoors

Three widely-deployed WordPress plugins — PushEngage, OptinMonster, and TrustPulse — had their JavaScript assets silently tampered with by an attacker, turning trusted plugin files into a mechanism for creating hidden administrator accounts. If a logged-in site admin loaded the affected scripts, the malicious code fired automatically and created a new admin-level account under the attacker's control — no further interaction required.

The Hacker News reports that the payload executed client-side during a legitimate admin session, which allowed it to bypass server-side controls and many WAF rules that expect external-origin threats.

Why This Is Severe

This is a supply-chain attack against the plugin distribution layer itself. The three targets collectively have millions of active installs across e-commerce, SaaS, and marketing sites — environments where admin sessions are frequent and long-lived:

• PushEngage — push notification campaigns
• OptinMonster — lead generation and popup overlays
• TrustPulse — social-proof notification widgets

A hidden admin account gives an attacker persistent full-backend access: they can install additional backdoors, redirect visitor traffic, inject malware into user sessions, or exfiltrate customer and payment data at will. Because the account is created silently through a legitimate session, it won't appear in standard failed-login logs.

What to Do Right Now

If you run any of these plugins, treat your installation as potentially compromised until you verify otherwise.

1. Audit your WordPress admin user list immediately. Navigate to Users → All Users, filter by Administrator role, and scrutinize every account. Delete any you don't recognize — pay attention to recently created accounts with generic usernames — and revoke all active sessions.

2. Update all three plugins to the latest version. Pull clean files from the official WordPress plugin repository to replace any tampered assets.

3. Review your logs. Check WordPress debug logs and server access logs for programmatic user creation events, unusual REST API calls to /wp-json/wp/v2/users, or unexpected admin-panel POST requests.

4. Rotate all credentials. If you find a rogue admin account, assume it was used. Rotate passwords for all legitimate admins, rotate the database password, and regenerate your WordPress secret keys (AUTH_KEY, SECURE_AUTH_KEY, etc.) in wp-config.php.

5. Scan for additional injected code. Use Wordfence or manually diff your plugin files against the official repository versions. Attackers who plant one backdoor routinely add secondary persistence.

6. Monitor outbound traffic. Look for unexpected connections from your web server — exfiltration attempts and C2 callbacks are common follow-ons after a successful admin account plant.

If you manage WordPress sites for clients, escalate immediately. A single unguarded admin session on a vulnerable installation is the only precondition the attacker needed.