Awesome Motive WordPress Plugin Supply-Chain Compromise

Attackers tampered with JavaScript served for **PushEngage**, **OptinMonster**, and **TrustPulse**, turning trusted WordPress plugin delivery paths into a site-takeover vector. The malicious code stayed dormant for ordinary visitors and activated when a logged-in WordPress administrator loaded the page, allowing the attacker to create a new admin account, install a self-hiding backdoor plugin or web shell, and exfiltrate credentials to **tidio[.]cc**. Available evidence ties the exposed deliveries to **Awesome Motive** infrastructure and shows the same code pattern across the three products, with **OptinMonster** and **TrustPulse** observed briefly on June 12 and **PushEngage** still serving malicious script on June 13 and into June 14 from some CDN servers. The activity moved beyond a single product problem because any WordPress site that loaded the poisoned files should be treated as potentially compromised, even if the visible script was later replaced. Available reporting puts the reachable install base for the three plugins at more than **1.2 million sites**, while direct confirmed compromise counts for individual sites have not been established. PushEngage said its main application and customer-data servers were not reached, but that statement does not remove the need for server-side review on exposed customer sites because attacker-created administrator access and hidden persistence could remain. Response has focused on replacing the tampered files, clearing CDN cache, rotating credentials, and urging affected site owners to inspect plugin directories, logs, accounts, and secrets for persistence. The initial access path into the delivery environment remains unresolved, and available evidence does not prove whether the separate **CVE-2026-10795** references explain the script compromise or describe parallel risk in the same WordPress ecosystem.