An attacker tampered with trusted JavaScript files used by WordPress sites running PushEngage, OptinMonster, and TrustPulse, turning those files into a way to break into the sites.
When a site administrator was logged in as the file loaded, the code created an admin account under the attacker’s control and installed a hidden plugin that opened a way back in. Ordinary visitors did not trigger it…
Read the rest of the story at Read More
Source: The Hacker News
Leave a Comment