CVE-2026-10795 describes a CDN-layer supply chain attack in which BunnyNet CDN credentials were compromised, enabling attackers to tamper with JavaScript assets served by three Awesome Motive WordPress plugins (PushEngage, OptinMonster, TrustPulse) to approximately 1.2 million sites during a June 12-14 UTC window. Any site where a WordPress administrator loaded the tampered script had their session hijacked to create hidden admin accounts and deploy server-side web shells. The WordPress admin dashboard cannot be trusted on affected sites — forensic investigation is server-side only.