Supply Chain Attack Hits Popular WordPress Plugins Through Awesome Motive CDN App Security

According to the company’s investigation, attackers exploited a known vulnerability in a third-party plugin called UpdraftPlus running on a marketing website server, gained access to the server, and located credentials for the company’s CDN account. We have observed it shipping as ‘Content Delivery Helper’ (content-delivery-helper, v2.7.1) and, currently, as ‘Database Optimizer’ (database-optimizer, v2.9.4).” The plugin ZIP is generated fresh on each request, so file hashes change constantly while the functionality stays identical.

The Security Issue

It was injected into files served directly from Awesome Motive’s own CDN endpoints, meaning every site that loaded those scripts pulled the tampered version straight from the source, with no warning and no way to discover the attack.

Further details indicate that a supply-chain attack targeting the WordPress plugins OptinMonster, TrustPulse, and PushEngage exposed more than 1.2 million websites to potential compromise after attackers injected malicious JavaScript into files distributed through official CDN infrastructure.

Using those credentials, they modified JavaScript files served to customer websites without breaching OptinMonster’s application infrastructure.

The attack leveraged trusted plugin resources rather than directly compromising individual websites, allowing the malicious code to reach a large number of WordPress installations.

Risk to Applications

Sansec researchers discovered an active supply chain attack hitting WordPress sites running OptinMonster, TrustPulse, and PushEngage, three plugins operated by Awesome Motive, one of the largest WordPress plugin companies in the world. Then it creates a backdoor administrator account using four separate fallback methods in sequence: the user registration form, admin-ajax.php, the REST API users endpoint, and finally a hidden iframe form submission. Only OptinMonster, TrustPulse, and PushEngage have confirmed compromised code so far, but anyone running any Awesome Motive plugin should treat this as an active incident until the company provides a full account of what happened.

Awesome Motive said its application servers, source code repositories, and systems storing customer account data were hosted separately and show no evidence of unauthorized access.

If any indicators of compromise are found, administrators should remove the backdoor, rotate all passwords, API keys, database credentials, and WordPress security keys, and assume attackers obtained full administrative access to the site.

Fix Recommendations

1. The fixed account it plants is developer_api1 with the email [email protected], alongside randomized dev_xxxxxx accounts for variety.

2. It hides itself from the plugin list on the admin dashboard, from the REST API plugins endpoint, from update checks, and from the recently active list.

3. It hides itself from the user list, the plugin list (both the admin screen and the REST /wp/v2/plugins endpoint), update checks, and the “recently active” list.” warns Sansec.

4. Researchers observed the malware creating a fixed administrator account named developer_api1 linked to customer1usx@gmail.com, alongside randomized dev_xxxxxx administrator accounts.

5. The installed backdoor plugin was designed to evade detection by hiding from WordPress plugin listings, user interfaces, update checks, and API responses.

6. Awesome Motive says it has revoked and rotated the compromised CDN credentials, remediated and migrated the affected marketing server, purged malicious files from the CDN, and launched a broader security review.

Analysis

As AI tooling proliferates, security teams face expanding attack surfaces tied to model inference and data pipelines.