- Vulnerability in UpdraftPlus plugin on Awesome Motive’s marketing server enabled CDN compromise and malicious JavaScript injection
- Malware targeted logged‑in WordPress admins, harvesting tokens and creating rogue accounts for full takeover
- Site owners urged to check for fake admin accounts (‘developer_api1’, ‘dev_xxxxxx’), hidden backdoor plugins, and rotate credentials/security salts
More than a million WordPress websites were at risk of full website takeover, after a vulnerability in a plugin enabled a large-scale supply-chain attack. The attack was spotted over the weekend by the ecommerce security outfit Sansec, and later confirmed by the victim company.
According to the researchers, hackers found and exploited a vulnerability in the UpdraftPlus WordPress plugin running on a marketing server belonging to Awesome Motive, the company behind multiple popular WordPress products including OptinMonster, TrustPulse, and PushEngage.
Even though the vulnerable server was not part of the production environment, it stored credentials for the company’s content delivery network (CDN), and by using the stolen CDN API key, the attackers were able to modify JavaScript files distributed through Awesome Motive’s CDN.
Targeting admins only
The compromised files were later used by OptinMonster, TrustPulse, and PushEngine, meaning the attackers’ JavaScript was served to visitors, but not all of them.
The malware only activated when a logged-in WordPress admin visited an affected site, helping it remain hidden while targeting only high-privilege users. The malicious script then harvested administrator authentication tokens and WordPress nonces, using them to create new admin accounts.
In the next step, the attackers installed additional malicious plugins, established command-and-control infrastructure, and began exfiltrating sensitive data. The malware also enabled web shell functionality,…
