- Vulnerability in UpdraftPlus plugin on Awesome Motive’s marketing server enabled CDN compromise and malicious JavaScript injection
- Malware targeted logged‑in WordPress admins, harvesting tokens and creating rogue accounts for full takeover
- Site owners urged to check for fake admin accounts (‘developer_api1’, ‘dev_xxxxxx’), hidden backdoor plugins, and rotate credentials/security salts
More than a million WordPress websites were at risk of full website takeover, after a vulnerability in a plugin enabled a large-scale supply-chain attack. The attack was spotted over the weekend by the ecommerce security outfit Sansec, and later confirmed by the victim company.
According to the researchers, hackers found and exploited a vulnerability in the UpdraftPlus WordPress plugin running on a marketing server belonging to Awesome Motive, the company behind multiple popular WordPress products including OptinMonster, TrustPulse, and PushEngage.
Even though the vulnerable server was not part of the production environment, it stored credentials for the company’s content delivery network (CDN), and by using the stolen CDN API key, the attackers were able to modify JavaScript files distributed through Awesome Motive's CDN.
Targeting admins only
The compromised files were later used by OptinMonster, TrustPulse, and PushEngine, meaning the attackers’ JavaScript was served to visitors, but not all of them.
The malware only activated when a logged-in WordPress admin visited an affected site, helping it remain hidden while targeting only high-privilege users. The malicious script then harvested administrator authentication tokens and WordPress nonces, using them to create new admin accounts.
In the next step, the attackers installed additional malicious plugins, established command-and-control infrastructure, and began exfiltrating sensitive data. The malware also enabled web shell functionality, arbitrary PHP code execution, file management features, and virtually anything else an admin might do.
Even after Awesome Motive removed the malicious CDN scripts, attackers retained control of already compromised websites through the rogue administrator accounts and hidden backdoor plugins. Therefore, website owners at risk of takeover should look for rogue admin accounts named ‘developer_api1’ or ‘dev_xxxxxx’, inspect the filesystem directly under wp-content/plugins for hidden backdoor plugins, and execute server-side malware scans.
Furthermore, they should rotate admin passwords, API keys, database credentials, and WordPress security salts.
Via BleepingComputer
