An attacker tampered with trusted JavaScript files used by
WordPress sites running PushEngage, OptinMonster, and TrustPulse,
turning those files into a way to break into the sites. When a site
administrator was logged in as the file loaded, the code created an
admin account under the attacker's control and installed a hidden
plugin that opened a way back in. Ordinary visitors did not trigger
it
Read more https://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html
