https://hackingpassion.com/tags/plugin-security/Recent content in Plugin Security on HackingPassion.com : root@HackingPassion.com-[~]HugoenTue, 16 Jun 2026 11:39:30 +0200https://hackingpassion.com/optinmonster-supply-chain-backdoor/Tue, 16 Jun 2026 11:39:30 +0200https://hackingpassion.com/optinmonster-supply-chain-backdoor/<p>1.2 million WordPress sites were caught in a supply chain attack last week, where the admin&rsquo;s own login quietly created a secret account and planted a hidden backdoor. It came in through plugins they trusted, OptinMonster, TrustPulse and PushEngage, and it only fired on the sites where an administrator was logged in.</p> <p>Sansec found it on 13 June 2026. The poisoned script belonged to three popular WordPress plugins: OptinMonster, TrustPulse and PushEngage, all run by the same company, Awesome Motive. These plugins do the small marketing jobs many sites rely on, popups, social proof notifications and browser push messages. To do that, each one loads a little piece of JavaScript called an SDK from the vendor&rsquo;s own content delivery network, the CDN. That SDK is the part the attacker tampered with.</p>