New WordPress Malware Hides on Checkout Pages and Imitates Cloudflare

Cybersecurity researchers have discovered a highly advanced malware campaign targeting WordPress websites, capable of stealing credit card details, user logins, and even profiling victims.

Discovered on May 16, 2025, by the Wordfence Threat Intelligence Team, this malware is packaged as a deceptive WordPress plugin and uses never-before-seen anti-detection methods. A particularly innovative tactic involves hosting a live management system directly on the infected websites, making it harder to spot.

This sophisticated operation has been active since at least September 2023, reveals Wordfence’s official blog post. Researchers analyzed over 20 samples of the malware, revealing shared traits across all versions, including code scrambling, techniques to avoid analysis, and ways to detect developer tools.

For example, the malware cleverly avoids running on administrator pages to stay hidden and only activates on checkout screens. Newer versions even create fake payment forms and imitate Cloudflare security checks to trick users. Stolen information is often sent out disguised as image web addresses.

Beyond just stealing payment information, researchers found three other versions of this malware, each with different goals. One version tampered with Google Ads to show fake advertisements to mobile users. Another was designed to steal WordPress login details.

A third version spreads more malware by changing legitimate links on websites to malicious ones. Despite these varied functions, the core software framework remained consistent, adapting its features for each specific attack. Some versions even used the messaging app Telegram to send stolen data in real-time and track user actions.

“One sample inspected also included a surprisingly complete fake human verification challenge, dynamically injected as a fullscreen and multi-language screen, intended to serve both as a user deception device and as an anti-bot filter. This includes incredibly advanced features for malware, like text localized in multiple languages, CSS support for RTL languages and dark mode, interactive elements like animations and spinning SVGs, and a definite Cloudflare brand impersonation, revealing a complexity rarely encountered before.”

Paolo Tresso – Wordfence

A key discovery was a fake WordPress plugin named WordPress Core. While appearing harmless, it contained hidden JavaScript code for skimming and PHP scripts that allowed attackers to manage stolen data directly from the compromised website.

This rogue plugin also used specific features of WooCommerce, a popular e-commerce platform, to mark fraudulent orders as complete, helping delay detection. Its hidden management system stores stolen payment data directly within WordPress, categorized under a custom “messages” section.

To protect against this threat, website administrators should look for signs of compromise, including specific domain names linked to the attackers such as api-service-188910982.website and graphiccloudcontent.com. Wordfence has already released detection signatures for this malware between May 17 and June 15, 2025, to its premium users, with free users receiving them after a standard 30-day delay.