A recent cyberattack has exposed over 1.2 million WordPress sites to potential harm, making it one of the largest supply chain attacks targeting WordPress plugins. The attack involved the injection of harmful code into legitimate JavaScript files by exploiting trusted CDN infrastructure.
Scope of the Attack
Security experts from Sansec identified a malicious campaign aimed at plugins created by Awesome Motive, including OptinMonster, TrustPulse, and PushEngage. These plugins have millions of installations globally, with OptinMonster alone being active on over a million sites.
Rather than targeting individual sites, attackers compromised upstream JavaScript files hosted on Awesome Motive’s CDN. This strategy ensured that any site loading these scripts would unknowingly execute the malware, echoing previous large-scale supply chain attacks.
Technical Details of the Breach
The malicious code activates when a WordPress administrator logs in, avoiding detection in automated environments. Upon activation, the script identifies the admin environment, collects site metadata, and extracts authentication tokens from REST and AJAX endpoints.
Using these tokens, the malware attempts to establish unauthorized admin accounts through methods like REST API calls and form submissions. The scripts were distributed via domains such as a.omappapi.com, a.opmnstr.com, and others.
Persistence is achieved by creating fixed accounts named developer_api1 and additional randomized accounts. Stolen credentials and site details are encrypted and sent to a command-and-control server under the domain tidio.cc, which is designed to look legitimate to avoid raising alarms.
Identifying and Mitigating the Threat
Organizations should monitor for indicators of compromise, such as the suspicious domain tidio.cc, rogue admin accounts, and hidden plugins named content-delivery-helper or database-optimizer. A unique string jX9kM2nP4qR6sT8v serves as an XOR key for identifying compromised systems.
Active exploitation has been reported, with Patchstack blocking numerous attempts to create rogue admin accounts. Awesome Motive attributed the breach to a vulnerability in the UpdraftPlus plugin, which allowed attackers to access a server, retrieve a CDN API key, and inject malicious code.
Response and Recommendations
Awesome Motive has since removed the malicious scripts, updated credentials, cleared CDN caches, and migrated affected systems. Plugin users are advised to audit administrator accounts, scan for hidden plugins, and rotate credentials as a precaution.
This incident underscores the increasing threat of supply chain attacks in the WordPress ecosystem, highlighting how compromising a single trusted source can have widespread repercussions across millions of websites.
