• Over 1 million WordPress sites at risk after popular plugin hacke

    From TechnologyDaily@1337:1/100 to All on Tue Jun 16 18:45:26 2026
    Over 1 million WordPress sites at risk after popular plugin hacked OptinMonster among those hit in CDN supply-chain attack

    Date:
    Tue, 16 Jun 2026 17:40:00 +0000

    Description:
    Three popular plugins served malicious JavaScript through a compromised CDN.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Vulnerability in UpdraftPlus plugin on Awesome Motives marketing server enabled CDN compromise and malicious JavaScript injection Malware targeted loggedin WordPress admins, harvesting tokens and creating rogue accounts for full takeover Site owners urged to check for fake admin accounts (developer_api1, dev_xxxxxx), hidden backdoor plugins, and rotate credentials/security salts More than a million WordPress websites were at risk of full website takeover, after a vulnerability in a plugin enabled a large-scale supply-chain attack. The attack was spotted over the weekend by the ecommerce security outfit Sansec, and later confirmed by the victim company.

    According to the researchers, hackers found and exploited a vulnerability in the UpdraftPlus WordPress plugin running on a marketing server belonging to Awesome Motive, the company behind multiple popular WordPress products including OptinMonster, TrustPulse, and PushEngage. Even though the
    vulnerable server was not part of the production environment, it stored credentials for the companys content delivery network (CDN), and by using the stolen CDN API key, the attackers were able to modify JavaScript files distributed through Awesome Motive's CDN. Latest Videos From Watch full video here: Targeting admins only The compromised files were later used by OptinMonster, TrustPulse, and PushEngine, meaning the attackers JavaScript
    was served to visitors, but not all of them.

    The malware only activated when a logged-in WordPress admin visited an affected site, helping it remain hidden while targeting only high-privilege users. The malicious script then harvested administrator authentication
    tokens and WordPress nonces, using them to create new admin accounts. You may like WordPress websites under attack expert report says dozens of plugins hijacked to target thousands of sites WordPress users beware experts claim sites are being hijacked using a critical flaw in popular Everest Forms Pro plugin Over a million WordPress sites hit in plugin flaw so patch now or
    face the consequences

    In the next step, the attackers installed additional malicious plugins, established command-and-control infrastructure, and began exfiltrating sensitive data. The malware also enabled web shell functionality, arbitrary PHP code execution, file management features, and virtually anything else an admin might do.

    Even after Awesome Motive removed the malicious CDN scripts, attackers retained control of already compromised websites through the rogue administrator accounts and hidden backdoor plugins. Therefore, website owners at risk of takeover should look for rogue admin accounts named developer_api1 or dev_xxxxxx, inspect the filesystem directly under wp-content/plugins for hidden backdoor plugins, and execute server-side malware scans. Are you a
    pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting
    your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

    Furthermore, they should rotate admin passwords, API keys, database credentials, and WordPress security salts.

    Via BleepingComputer The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/over-1-million-wordpress-sites-at-risk- after-popular-plugin-hacked-optinmonster-among-those-hit-in-cdn-supply-chain-a ttack


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)