Security · June 15, 2026 · 3 min read

Check for rogue admins if you use OptinMonster, TrustPulse, or PushEngage

A supply chain attack tampered with scripts from three marketing plugins and created hidden WordPress admin accounts.

Reading

WPWithin

If your site uses OptinMonster, TrustPulse, or PushEngage, check your admin users now. Attackers tampered with vendor-hosted scripts and used real administrator sessions to create rogue admin accounts and install a hidden backdoor plugin.

Tampered plugin scripts created hidden admin accounts

Patchstack reports that a supply chain attack hit three popular WordPress marketing plugins. In plain English, attackers did not break into your site through a normal plugin bug. They changed JavaScript files that the plugin vendors served from their content delivery network, which is the outside service that loads code into your site.

That code ran in the browser of any logged-in WordPress administrator who opened an affected page. Once it ran, it used that admin’s own session to create hidden administrator accounts and install a backdoor plugin that tried to hide itself. Patchstack says it blocked 271 attempts across customer sites over about 36 hours.

This hit sites that used OptinMonster, TrustPulse, or PushEngage while the vendors served the tampered scripts. The source does not tie the attack to one plugin version. That matters, because updating alone does not tell you if the attack already added an account or plugin to your site.

Audit your administrator list and installed plugins now, remove anything you did not create, and follow the cleanup guidance from your plugin vendor before any administrator logs in again.

End of article

Weekend Within · Free

If you found this useful, subscribe free.

The Weekend Within roundup ships every weekend. Six minutes. The WordPress news that matters, translated out of developer-speak. Unsubscribe any time.

↓ Read next

Critical FunnelKit flaw lets attackers steal WooCommerce payment data

Security · 3 min