Trusted WordPress Plugins Created Secret Admin Accounts

A supply-chain attack on popular WordPress plugins created hidden admin accounts, giving attackers full control of affected sites when an admin logged in.

An attacker successfully compromised trusted third-party JavaScript files used by several popular WordPress plugins, including OptinMonster, PushEngage, and TrustPulse. This sophisticated supply-chain attack turned a legitimate marketing tool into a stealthy backdoor. The malicious code was designed to be patient and precise, activating only when a logged-in site administrator visited a page where the script was loaded. It did not trigger for ordinary website visitors, making it extremely difficult to detect through normal traffic monitoring or automated security scans. Once activated, the script automatically created a new, hidden administrator account on the WordPress site, giving the attacker the highest level of access and control. To ensure persistent access, the code also installed a hidden plugin, which acted as a permanent backdoor. This allowed the attacker to regain entry even if the initial vulnerability was fixed, enabling a complete and covert takeover of affected websites.

This incident is a critical reminder of the inherent risks associated with third-party dependencies in modern web development. When a site uses an external script, it implicitly trusts the security of that script's provider. If that provider is compromised, every website using their service becomes immediately vulnerable. For businesses running on WordPress, the impact of such a breach is severe. An attacker with full administrative privileges can steal sensitive user data, inject malware to infect visitors, add malicious SEO spam, or completely deface the site, causing significant reputational and financial damage. The stealthy nature of this particular attack means a compromise could go unnoticed for an extended period, allowing an attacker to establish a deep and persistent foothold within the system. This vulnerability affects any organization that uses these popular plugins to manage marketing and user engagement, putting their digital assets and customer trust at immediate risk.

This supply-chain attack highlights the hidden risks of using third-party scripts. A compromised dependency can grant attackers full control over a website, bypassing traditional security measures and leading to data theft or complete site defacement.

A compromised website with a hidden admin can lead to severe business disruption, including data breaches of customer information, financial loss, and significant reputational damage. The cost of incident response and recovery can be substantial.