OptinMonster WordPress Plugin Hacked in CDN Supply-Chain Attack

Key Takeaways

• Attackers exploited an UpdraftPlus vulnerability to steal CDN credentials and inject malicious JavaScript into three popular WordPress plugins
• The malware only triggered when WordPress admins visited infected pages, creating rogue accounts and installing self-hiding backdoors
• Malicious scripts were served for roughly 21 hours across the three affected plugins before remediation

Three popular WordPress plugins from Awesome Motive have been compromised in a supply-chain attack that injected malicious JavaScript into websites through the company's content distribution network. OptinMonster, TrustPulse, and PushEngage all served malware to site visitors over the weekend.

OptinMonster, a lead-generation and conversion optimization tool, is the most widely used of the three. At least 1.2 million websites run the plugin. E-commerce security firm Sansec discovered the attack and traced malicious script delivery to a narrow window: Friday between 22:17 UTC and 22:42 UTC for OptinMonster and TrustPulse, extending until Saturday 19:02 UTC for PushEngage.

How the Attack Worked

The attack was precisely targeted. Malware only triggered when a WordPress administrator visited a page on an infected website. Standard visitors saw nothing unusual. Once an admin loaded the page, the malicious code collected authentication tokens and nonces, then used them to create a rogue administrator account.

The attackers then installed a self-hiding backdoor plugin and established communication with a domain impersonating Tidio, a customer service platform. This channel exfiltrated any newly captured credentials. The backdoor provided full remote access capabilities, including a web shell labeled "WPM File Manager & Shell" and arbitrary PHP code execution.

“The operator rotates the plugin's disguise while keeping the logic byte-identical across renames. We have observed it shipping as 'Content Delivery Helper' (content-delivery-helper, v2.7.1) and, currently, as 'Database Optimizer' (database-optimizer, v2.9.4).”

— Sansec security researchers

This disguise rotation made detection harder. Site owners searching for known malicious plugin names would miss these innocuously named packages.

Root Cause: Stolen CDN Credentials

Awesome Motive published a security advisory explaining how attackers gained their foothold. Hackers exploited a known vulnerability in the UpdraftPlus WordPress plugin to compromise a server hosting one of Awesome Motive's marketing websites.

This server was not connected to production infrastructure or customer data systems. However, it stored credentials for the company's CDN account. Using the stolen CDN API key, attackers modified JavaScript files distributed through the CDN. Websites loading these files unknowingly executed malicious code.

The affected JavaScript files were hosted at:

• a.omappapi.com/app/js/api.min.js (OptinMonster)
• a.opmnstr.com/app/js/api.min.js (OptinMonster)
• a.optnmstr.com/app/js/api.min.js (OptinMonster)
• a.trstplse.com/app/js/api.min.js (TrustPulse)

Awesome Motive's Response

The company has taken several remediation steps. It migrated the compromised marketing site to a new server, rotated all credentials including the CDN API key, and cleaned the malicious code from its CDN.

Awesome Motive stressed that its application servers, source code, and plugin hosting servers were never compromised. The attack vector was limited to the CDN-delivered JavaScript files.

What Site Owners Should Do Now

If you run any of the three affected plugins, you should assume your site may have been compromised during the attack window. Take these steps:

1. Review all administrator accounts. Delete any you don't recognize.
2. Check your installed plugins for "Content Delivery Helper" or "Database Optimizer." Remove them immediately.
3. Search for any plugin containing "WPM File Manager" or "Shell" in the name or description.
4. Rotate all admin passwords and API keys.
5. Review server access logs for the June 12-14 period.
6. Consider a full malware scan using a tool like Wordfence or Sucuri.

Why CDN Attacks Are So Dangerous

Supply-chain attacks through CDNs are particularly dangerous because they bypass traditional security measures. Site owners trust CDN-delivered scripts. The code runs with the same privileges as locally hosted files. A single compromised API key can inject malware into hundreds of thousands of sites simultaneously.

Security researchers on Hacker News pointed to the "centralization of trust" problem in WordPress ecosystems. When plugins rely on third-party CDNs for script delivery, they create single points of failure. Some users urged plugin developers to move toward self-hosted assets or implement Subresource Integrity (SRI) hashes that verify scripts haven't been tampered with.

Timeline of Events

Frequently Asked Questions

How do I know if my WordPress site was affected?

Check for unknown administrator accounts and plugins named "Content Delivery Helper" or "Database Optimizer." Review your admin login logs for June 12-14. If any admin visited your site during the attack window, assume compromise.

Were customer databases or payment information stolen?

Awesome Motive states its application servers and data systems were not compromised. However, any data accessible through rogue admin accounts on individual WordPress sites may have been exfiltrated.

Has Awesome Motive patched the affected plugins?

The malicious code was served via CDN, not through the plugins themselves. Awesome Motive has cleaned its CDN and rotated all credentials. No plugin update is required for remediation.

What is Subresource Integrity and how would it help?

SRI is a security feature that lets browsers verify that files fetched from CDNs haven't been modified. Sites using SRI would reject tampered JavaScript files, blocking this attack vector entirely.

Which WordPress plugin was used to breach Awesome Motive?

Attackers exploited a known vulnerability in UpdraftPlus to compromise a marketing server that stored CDN credentials.

Source: BleepingComputer