Malicious WordPress Plugins Infect Sites with Data-Thieving Malware
Thousands of WordPress websites are under threat after hackers exploited various WordPress plugins. GoDaddy claims to have spotted the new variant of the ClickFix malware.
A new variant of the ClearFake, also known as ClickFix malware, has allegedly compromised more than six thousand WordPress websites. ClickFix, introduced in 2024, is a social engineering tactic that deceives users into executing malicious scripts by pasting them in PowerShell terminal. It shares many similarities with ClearFake that displays fake web browser update banners on compromised websites.
“The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins,” explains GoDaddy security researcher Denis Sinegubko. “These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users,” he wrote.
Affected plugins
The impacted plugins spotted in the campaign include LiteSpeed Cache Classic, Custom CSS Injector, MonsterInsights Classic, Custom Footer Generator, Wordfence Security Classic, Custom Login Styler, Search Rank Enhancer, SEO Booster Pro, Social Media Integrator, Responsive Menu Builder, among others, according to a report from GoDaddy.
Rise in Malicious Activities
Installing the malicious plugins would prompt connections with various WordPress actions to enable malicious JavaScript injection into the site’s HTML that would retrieve a JavaScript file stored in a Binance Smart Chain Contract, which displays fake software update banners.
ClickFix campaigns have become more prevalent this year, with threat actors compromising websites to display banners showing fake errors for Google Chrome, Google Meet conferences, Facebook, and even CAPTCHA pages.
ClearFake, the other variant that everybody has witnessed before, is a type of malware attack that happens when a website gets hacked and shows a fake pop-up notification. This notification often looks like a browser message or an antivirus alert. It tells users that their computer is outdated or is infected with a virus, which eventually prevents them from viewing the desired website.
Over the past couple of years, information-stealing malware has become a menace to cyber security defenders worldwide as stolen credentials are used to steal data and breach networks.
