An attacker compromised Awesome Motive’s content delivery network and appended malicious JavaScript to the front-end SDKs of three popular WordPress plugins โ€” OptinMonster (1.2M+ installs), TrustPulse, and PushEngage. The tampered scripts ran inside the browser of any logged-in administrator who loaded an affected page, used that admin’s own session to create hidden administrator accounts, and installed a self-hiding backdoor plugin with a full web shell. Discovered by Sansec over the weekend and detailed by OptinMonster and Patchstack, this is a CDN-tier compromise: a fully patched, well-configured site could still be served the payload, because nothing on the customer’s site was touched.

Attack chain

The plugins themselves were never modified โ€” no malicious update was pushed. According to Awesome Motive, the attacker exploited a known vulnerability in the UpdraftPlus plugin running on OptinMonster’s marketing website, a server separate from production infrastructure. That box held credentials for the company’s CDN account. With the stolen CDN API key, the attacker edited the minified SDK files served from the CDN edge, appending their payload to the legitimate code so the scripts kept working normally. The affected files:

  • a.omappapi.com/app/js/api.min.js, a.opmnstr.com/app/js/api.min.js, a.optnmstr.com/app/js/api.min.js (OptinMonster)
  • a.trstplse.com/app/js/api.min.js (TrustPulse)
  • clientcdn.pushengage.com/sdks/pushengage-web-sdk.js (PushEngage)

What the payload does

The injected code is deliberate and staged. It first runs anti-analysis checks (navigator.webdriver, window._phantom, window.__nightmare, zero-size windows) and confirms it is in front of a logged-in admin by looking for the admin bar, /wp-admin/ paths, and the wordpress_logged_in_ cookie. It stamps localStorage so it won’t re-fire on the same browser for 24 hours.

It then harvests a valid REST nonce (from wpApiSettings, admin-ajax.php?action=rest-nonce, or by scraping the new-user page) and creates a rogue administrator using four fallback methods until one works: the REST API (POST /wp-json/wp/v2/users), the admin form (POST /wp-admin/user-new.php), AJAX (admin-ajax.php), and a hidden 1ร—1 iframe. It plants a fixed identity, developer_api1 / [email protected], and randomized dev_xxxxxx accounts. Finally it uploads a backdoor plugin via POST /wp-admin/update.php?action=upload-plugin, disguised as “Content Delivery Helper” (content-delivery-helper v2.7.1) or “Database Optimizer” (database-optimizer v2.9.4) and hidden from the plugin list, user list, and activity logs. The backdoor exposes a web shell (“WPM File Manager & Shell”) via ?developer_api1_fm running system($_POST['cmd']), plus a developer_api1_eval endpoint for arbitrary PHP. Stolen data is XOR-encrypted (key jX9kM2nP4qR6sT8v) and beaconed to tidio.cc.

The critical point: this is not CSRF or a plugin bug. Every malicious request carries the administrator’s real cookies and a valid nonce, because the administrator’s own browser issued it. At the network layer it is nearly indistinguishable from legitimate admin work, which is exactly why a WAF can only key on the attacker’s hardcoded identifiers.

Timeline and scale

The C2 domain tidio.cc โ€” impersonating live-chat vendor Tidio โ€” was registered on April 28, indicating premeditation. Malware was first observed in the OptinMonster and TrustPulse SDKs on June 12 at 22:17 UTC, last verified there at 22:42 UTC. The PushEngage SDK kept serving injected code from some CDN edges until June 13, 19:02 UTC as caches purged; it was cleaned by June 14, when OptinMonster published its disclosure. Sansec estimates 1.2M+ sites were potentially exposed; Patchstack’s mitigation blocked 271 rogue-admin attempts across 13 sites from 81 residential IPs in its first 36 hours. Awesome Motive says it migrated the marketing site, rotated all credentials including the CDN key, and that its application servers, source code, and plugin-hosting systems were not breached.

Indicators of compromise

  • Rogue accounts: developer_api1 / [email protected]; dev_xxxxxx / [email protected]
  • Backdoor plugins: content-delivery-helper (v2.7.1), database-optimizer (v2.9.4); UI string “WPM File Manager & Shell”
  • Backdoor params: ?developer_api1_fm, developer_api1_eval
  • C2: tidio.cc (84.201.6.54, Ultahost AS214036); paths /cdn-cgi/pe-p, /cdn-cgi/pe-b, /cdn-cgi/pe-l
  • Malware signature: XOR key jX9kM2nP4qR6sT8v

What to do now

Removing the malicious script from the vendor’s CDN does not clean a site that was already hit โ€” the attacker’s admin accounts and backdoor persist. If you run any of these plugins and an admin loaded the site around June 12โ€“14:

  1. Audit admin accounts. Delete developer_api1 and any dev_xxxxxx users; review every administrator.
  2. Inspect the filesystem, not the dashboard. The backdoor hides from the UI. Check wp-content/plugins/ directly for content-delivery-helper, database-optimizer, or anything unfamiliar, and grep for developer_api1_fm, developer_api1_eval, and the XOR key.
  3. Run a server-side malware scan.
  4. Rotate everything if you find a compromise: admin passwords, API keys, database credentials, and the WordPress salts in wp-config.php.
  5. Block tidio.cc (84.201.6.54) at the DNS or network layer.

The lesson for infrastructure teams: your supply chain doesn’t end at the packages you install โ€” it extends to every third-party asset they load at runtime. A trusted CDN script can turn hostile without a single change on your side. Treat externally hosted SDKs as untrusted code, pin and monitor what they do, and assume “fully patched” is not the same as “safe.”

Sources: OptinMonster advisory ยท Sansec research ยท Patchstack analysis ยท BleepingComputer