Tag: wordpress

28 Attack Reports | 0 Vulnerabilities

Attack reports

The Rise of Online Casino Spam

This analysis explores the growing prevalence of online casino spam, particularly targeting WordPress websites. The report details a sophisticated malware infection that employs multiple layers of redundancy and reinfection mechanisms. The malware injects spam content into existing pages, stores pa…
malware
spam
wordpress
gambling
indonesia
seo
2025-11-07
online casino
Published: November 7, 2025
Downloadable IOCs: 0

Attackers Actively Exploiting Critical Vulnerability in Service Finder Bookings Plugin

On June 8th, 2025, we received a submission through our Bug Bounty Program for an Authentication Bypass vulnerability in Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. This theme has been sold to approximately 6,000 customers. This vulnerability makes it possible…
exploit
vulnerability
wordpress
authentication bypass
2025-10-09
wordfence
service finder bookings
service finder
Published: October 9, 2025
Downloadable IOCs: 5

Hidden WordPress Backdoors Creating Admin Accounts

Two malicious files were discovered on a compromised WordPress website, designed to manipulate administrator accounts and maintain unauthorized access. The first file, disguised as a plugin called 'DebugMaster Pro', created a secret admin user and communicated with a command and control server. The…
backdoor
wordpress
credential theft
compromise
stealth
2025-09-24
debugmaster pro
admin accounts
Published: September 24, 2025
Downloadable IOCs: 0

Malicious JavaScript Injects Fullscreen Iframe On a WordPress Website

A JavaScript-based malware campaign has been discovered affecting compromised WordPress websites. The malware injects a fullscreen iframe that loads content from suspicious external domains, aiming to force users to view unsolicited content for ad fraud, traffic generation, or social engineering. T…
javascript
wordpress
fake captcha
anti-debugging
2025-08-14
iframe injection
wpcode plugin
powershell exploitation
fullscreen overlay
Published: August 14, 2025
Downloadable IOCs: 6

Efimer Trojan delivered via email and hacked WordPress websites

The Efimer Trojan is spreading through compromised WordPress sites, malicious torrents, and email campaigns impersonating lawyers. It steals cryptocurrency by replacing wallet addresses in the clipboard and can execute additional malicious scripts. The Trojan communicates with its command-and-contr…
cryptocurrency
wordpress
tor
brute-force
clipbanker
torrent
2025-08-08
email campaign
efimer
Published: August 8, 2025
Downloadable IOCs: 16

Active Exploitation of CVE-2025-5394 in Alone WordPress Theme

A critical arbitrary file-upload vulnerability (CVE-2025-5394) in the Alone - Charity Multipurpose Non-profit WordPress theme versions 7.8.3 and earlier is being actively exploited. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to upload malicious ZIP archives containing PHP …
vulnerability
wordpress
remote code execution
web shells
CVE-2025-5394
2025-08-01
theme
alone theme
arbitrary file upload
Published: August 1, 2025
Downloadable IOCs: 0

Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors

A sophisticated piece of malware was discovered embedded in a WordPress site's core files, specifically in wp-settings.php. The malware uses a ZIP archive to hide malicious code and perform search engine poisoning and unauthorized content injection. It employs dynamic Command and Control server sel…
seo poisoning
wordpress
2025-07-14
Published: July 14, 2025
Downloadable IOCs: 3

Attackers Inject Code into WordPress Theme to Redirect Visitors

An analysis reveals a recent attack vector targeting WordPress themes, specifically injecting malicious code into the footer.php file. The injected code uses a function called r2048 to retrieve a URL from a remote server and redirect visitors. This method is particularly insidious as it's not visib…
wordpress
code injection
curl
redirect
2025-07-11
footer.php
theme injection
file_get_contents
r2048 function
Published: July 11, 2025
Downloadable IOCs: 2

Deploying NetSupport RAT via WordPress & ClickFix

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that do…
phishing
wordpress
remote access
netsupport rat
post-exploitation
fake captcha
2025-07-10
dom manipulation
Published: July 10, 2025
Downloadable IOCs: 21

Fake Spam Plugin Uses Victim's Domain Name to Evade Detection

A sophisticated SEO spam infection was discovered utilizing a cleverly crafted plugin that mimics the infected domain's name to avoid detection. The malware injects spam content into websites, targeting search engine rankings, and only activates under specific conditions like when a crawler is dete…
obfuscation
wordpress
evasion techniques
search engine manipulation
code injection
remote control
2025-07-06
stealth malware
seo spam
plugin disguise
Published: July 6, 2025
Downloadable IOCs: 1

Analysis of a Malicious WordPress Plugin: The Covert Redirector

A malicious WordPress plugin named 'wordpress-player.php' has been discovered, affecting at least 26 websites. The plugin injects a hidden HTML5 video player and establishes a WebSocket connection to a command and control server. It redirects visitors to suspicious websites after 4-5 seconds, avoid…
wordpress
plugin
c2
seo
websocket
2025-06-19
redirect
wordpress-player.php
website-integrity
Published: June 19, 2025
Downloadable IOCs: 1

What is the Real Relationship between WordPress Hackers and Malicious Adtech?

An investigation into VexTrio, a malicious traffic distribution system (TDS), revealed surprising connections between WordPress hackers and adtech companies. When VexTrio's operations were disrupted, multiple malware actors migrated to a new TDS that was discovered to be related to VexTrio. Several…
malware
dns
wordpress
adtech
tds
push notifications
2025-06-13
balada
sign1
dollyway
hackers
affiliate networks
Published: June 13, 2025
Downloadable IOCs: 83

Part 2: Compromised WordPress Pages and Malware Campaigns

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign tar…
xworm
phishing
ransomware
android
remcos
wordpress
credential theft
strela stealer
proton66
weaxor
2025-05-16
Published: May 16, 2025
Downloadable IOCs: 45

Proton66: Compromised WordPress Pages and Malware Campaigns

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also…
xworm
phishing
ransomware
android
korea
remcos
wordpress
strela stealer
2025-04-18
germany
weaxor
Published: April 18, 2025
Downloadable IOCs: 48

Stripe API Skimming Campaign: Additional Victims & Insights

A sophisticated web skimming campaign has been discovered, utilizing a legacy Stripe API to validate stolen payment details before exfiltration. The attack involves multiple stages, including malicious loader injection, decoding, and skimming. Jscrambler's research team identified 49 affected merch…
wordpress
e-commerce
javascript injection
web skimming
payment fraud
stripe api
woocommerce
2025-04-03
client-side security
Published: April 3, 2025
Downloadable IOCs: 2

Fake Cloudflare Verification Results in LummaStealer Trojan Infections

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in l…
powershell
lummac2
infostealer
trojan
wordpress
cloudflare
lummastealer
javascript injection
2025-03-20
Published: March 20, 2025
Downloadable IOCs: 4

Credit Card Skimmer and Backdoor on WordPress E-commerce Site

A sophisticated malware attack targeting WordPress WooCommerce sites was discovered, involving multiple components: a credit card skimmer, a hidden backdoor file manager, and a reconnaissance script. The attack focused on financial gain and long-term control. The skimmer, injected into the checkout…
backdoor
obfuscation
javascript
wordpress
reconnaissance
php
credit card skimmer
e-commerce
2025-03-15
woocommerce
Published: March 15, 2025
Downloadable IOCs: 0

Cascading Redirects: Unmasking a Multi-Site JavaScript Malware Campaign

A recent investigation uncovered a malicious JavaScript injection affecting WordPress websites, redirecting visitors to unwanted third-party domains. The attack vector involves a two-stage redirection process, injecting code into theme files and loading external scripts. The malware creates hidden …
wordpress
javascript injection
2025-03-07
malicious redirects
traffic hijacking
theme file modification
two-stage attack
seo damage
Published: March 7, 2025
Downloadable IOCs: 3

Fake WordPress Plugin Impacts SEO by Injecting Casino Spam

A recent investigation uncovered a malicious WordPress plugin disguised as an innocent security tool, injecting casino spam into website footers. The attackers employed obfuscation techniques and cURL to fetch data from a remote URL, decrypting it using XOR encryption. The malware retrieves a set o…
obfuscation
wordpress
plugin
xor encryption
2025-02-27
seo
casino
spam injection
link injection
Published: February 27, 2025
Downloadable IOCs: 1

Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database Injection

A sophisticated credit card skimmer malware has been discovered targeting WordPress websites. The malware injects malicious JavaScript into database entries, specifically in the wp_options table, to steal sensitive payment details from checkout pages. It activates only on checkout pages, either hij…
wordpress
credit card skimmer
ecommerce
2025-01-10
database injection
Published: January 10, 2025
Downloadable IOCs: 0

PHP Reinfector and Backdoor Malware Target WordPress Sites

A sophisticated PHP reinfector and backdoor malware is targeting WordPress websites, infecting plugin files and database tables. The malware reinfects active plugins, manipulates wp_options and wp_posts tables, and creates malicious admin users. It utilizes WordPress's cron system to maintain contr…
backdoor
obfuscation
wordpress
php
2024-11-14
vextrio
database manipulation
backdoor malware
persistent threat
php reinfector
plugin infection
reinfector
cron system
Published: November 14, 2024
Downloadable IOCs: 0

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The AndroxGh0st malware has expanded its capabilities by incorporating the Mozi botnet to target IoT devices and cloud services. This Python-based tool, known for attacking Laravel applications, now exploits a wider range of vulnerabilities in internet-facing applications. The malware uses remote c…
iot
botnet
wordpress
CVE-2024-4577
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
cloud services
credential stealing
CVE-2022-1040
2024-11-08
mozi
laravel
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
Published: November 8, 2024
Downloadable IOCs: 1

2024 Credit Card Theft Season Arrives

As the holiday shopping season approaches, eCommerce website owners need to be vigilant against credit card stealing malware, known as 'MageCart'. Attackers focus their efforts in the last quarter to maximize profits from stolen card details. Analysis of recent malware samples reveals sophisticated…
wordpress
magento
credit card theft
2024-11-07
magecart
websocket skimmer
jquery hex skimmer
holiday shopping season
r.blob skimmer
ecommerce security
Published: November 7, 2024
Downloadable IOCs: 0

DarkCracks, an advanced malicious payload & upgrade framework utilizing hacked GLPI and WordPress sites as intermediaries

DarkCracks is a sophisticated malware framework that exploits compromised GLPI and WordPress sites as intermediaries for payload delivery and command and control. It collects sensitive information from infected devices, maintains long-term access, and uses them as nodes to control other devices or …
wordpress
quasarrat
2024-09-04
darkcracks
malware framework
infrastructure compromise
glpi
Published: September 4, 2024
Downloadable IOCs: 55

Fake update puts visitors at risk

This intelligence report discusses SocGholish, a JavaScript downloader used by threat actors to deliver malware payloads disguised as fake browser updates. It analyzes the recent tactics, techniques, and procedures employed by threat groups like Evil Corp in compromising WordPress websites, fingerp…
malware
cobalt strike
zloader
lumma stealer
socgholish
wordpress
downloader
redline stealer
2024-07-24
netsupport rat
egregor
ryuk
fake update
badspace
Published: July 24, 2024
Downloadable IOCs: 10

Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware

A long-running campaign was identified involving malicious actors impersonating Israeli entities and private companies. The operators delivered payloads through crafted WordPress sites, employing a mix of custom code and open-source malware like Donut and Sliver. While the motivations remain unclea…
impersonation
wordpress
sliver
golang
2024-06-28
open-source
donut
virtual disk
Published: June 28, 2024
Downloadable IOCs: 18

Active exploitation of stored XSS vulnerabilities in WordPress Plugins

Recent months have witnessed active exploitation attempts targeting multiple cross-site scripting (XSS) vulnerabilities in popular WordPress plugins. The attacks involve injecting malicious scripts that create new admin accounts, install backdoors, and implement tracking mechanisms. The affected pl…
CVE-2023-6961
wordpress
2024-05-31
xss
CVE-2023-40000
CVE-2024-2194
Published: May 31, 2024
Linked vulnerabilities : CVE-2023-6961 (CVSS 7.2), CVE-2023-40000, CVE-2024-2194
Downloadable IOCs: 28

Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin

A recent surge of malicious JavaScript code has been observed targeting websites using vulnerable versions of the LiteSpeed Cache plugin for WordPress. The malware injects code into critical WordPress files or the database, creating unauthorized admin users like 'wpsupp-user.' It exploits the vulne…
vulnerability
javascript
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
wordpress
litespeed
plugin
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports