PushEngage hit by cyberattack
Incident
Summary
Hide ▲
Show ▼
A PushEngage script-tampering incident put WordPress sites at risk of takeover after poisoned JavaScript was served through trusted plugin delivery paths. The same malicious code also appeared in OptinMonster and TrustPulse deliveries, and it only triggered when a logged-in WordPress administrator loaded the page. Sites that loaded the backdoored scripts should be treated as compromised, because the payload could create attacker-controlled admin access and hide a persistent entry point.
Related Happenings
PushEngage, OptinMonster, and TrustPulse CDN script-tampering campaign
Campaign
H score28
First: 15.06.2026 12:59
Last: 15.06.2026 12:59
Sources 1
How related:
Security firm Sansec disclosed the wider campaign on June 13, finding the same malicious code in JavaScript served for all three plugins.
About this happening:
A **multi-plugin JavaScript tampering campaign** spread poisoned code through **PushEngage**, **OptinMonster**, and **TrustPulse**, putting more than **1.2 million WordPress sites...
PushEngage, OptinMonster, and TrustPulse CDN script-tampering campaign
CampaignHow related: Security firm Sansec disclosed the wider campaign on June 13, finding the same malicious code in JavaScript served for all three plugins.
About this happening: A **multi-plugin JavaScript tampering campaign** spread poisoned code through **PushEngage**, **OptinMonster**, and **TrustPulse**, putting more than **1.2 million WordPress sites...
Funnel Builder security patch release (version 3.15.0.3)
Security Patch Release
H score48
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**FunnelKit** released **version 3.15.0.3** to fix a **Funnel Builder** flaw that was being **actively exploited** to inject malicious JavaScript into **WooCommerce checkout pages...
Funnel Builder security patch release (version 3.15.0.3)
Security Patch ReleaseAbout this happening: **FunnelKit** released **version 3.15.0.3** to fix a **Funnel Builder** flaw that was being **actively exploited** to inject malicious JavaScript into **WooCommerce checkout pages...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
Vulnerability
H score48
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
VulnerabilityAbout this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Funnel Builder 3.15.0.3 security update
Security Patch Release
H score43
First: 15.05.2026 22:30
Last: 15.05.2026 22:30
Sources 1
About this happening:
**FunnelKit** released **Funnel Builder 3.15.0.3** to fix an **actively exploited** flaw affecting **WordPress/WooCommerce checkout pages**, closing a path that could inject malic...
Funnel Builder 3.15.0.3 security update
Security Patch ReleaseAbout this happening: **FunnelKit** released **Funnel Builder 3.15.0.3** to fix an **actively exploited** flaw affecting **WordPress/WooCommerce checkout pages**, closing a path that could inject malic...
GutenKit and Hunk Companion actively exploited unauthenticated plugin-install flaws (multiple vulnerabilities)
Vulnerability
H score53
First: 27.10.2025 12:15
Last: 27.10.2025 12:15
Sources 1
About this happening:
**WordPress** sites using **GutenKit** and **Hunk Companion** are facing **actively exploited** plugin-install flaws tracked as **CVE-2024-9234**, **CVE-2024-9707**, and **CVE-202...
GutenKit and Hunk Companion actively exploited unauthenticated plugin-install flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **WordPress** sites using **GutenKit** and **Hunk Companion** are facing **actively exploited** plugin-install flaws tracked as **CVE-2024-9234**, **CVE-2024-9707**, and **CVE-202...
Timeline
-
15.06.2026 12:59 1 articles · 4h ago
tidio[.]cc is registered before the WordPress plugin compromise
Technical Analysis UpdateThe domain tidio[.]cc is registered on April 28, weeks before malicious JavaScript is served through PushEngage, OptinMonster, and TrustPulse, indicating preparation for a planned campaign that later uses the fake domain for data exfiltration from compromised WordPress sites.
Show sources
- Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites — thehackernews.com — 15.06.2026 12:59
-
15.06.2026 12:59 2 articles · 4h ago
Poisoned plugin JavaScript creates attacker-controlled WordPress admin access
Exploitation ObservedOn June 12, malicious JavaScript delivered for PushEngage, OptinMonster, and TrustPulse can activate only when a logged-in WordPress administrator loads it, then use that session to create an attacker-controlled admin account and install a hidden web shell backdoor on the affected site.
Show sources
- Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites — thehackernews.com — 15.06.2026 12:59
- Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites — thehackernews.com — 15.06.2026 12:59
-
15.06.2026 12:59 1 articles · 4h ago
PushEngage scripts keep serving from some CDN servers into June 14
Victim Impact UpdatePushEngage's tampered script remains available from some client CDN servers into June 14, extending the exposure window for sites loading pushengage-web-sdk.js and pushengage-subscription.js from clientcdn.pushengage.com.
Show sources
- Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites — thehackernews.com — 15.06.2026 12:59
-
13.06.2026 03:00 1 articles · 2d ago
Sansec discloses malicious JavaScript across PushEngage, OptinMonster, and TrustPulse
Initial DisclosureSansec discloses the wider campaign on June 13 after finding the same malicious code in JavaScript served for PushEngage, OptinMonster, and TrustPulse, and warns that any site that loaded the poisoned script should be treated as compromised.
Show sources
- Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites — thehackernews.com — 15.06.2026 12:59