Tag Archives: WordPress Security

Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins

On February 8th, 2018, we noticed a new wave of WordPress infections involving two malicious plugins: injectbody and injectscr. These plugins inject obfuscated scripts, creating unwanted pop-up/pop-unders. Whenever a visitor clicks anywhere on an infected web page, they are served questionable ads. Plugin Location The malicious plugins possess a very similar file structure: Injectbody wp-content/plugins/injectbody/ More Info »

SQLi Vulnerability in YITH WooCommerce Wishlist

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the YITH WooCommerce Wishlist plugin for WordPress. This plugin allows visitors and potential customers to make wish lists containing products in the WooCommerce store, and is currently installed on 500,000+ websites. Are You at Risk? This vulnerability More Info »

Malicious Website Cryptominers from GitHub. Part 2.

Recently we wrote about how GitHub/GitHub.io was used in attacks that injected cryptocurrency miners into compromised websites. Around the same time, we noticed another attack that also used GitHub for serving malicious code. Encrypted CoinHive Miner in Header.php The following encrypted malware was found in the header.php file of the active WordPress theme: There are More Info »

Javascript Injection Creates Rogue WordPress Admin User

Earlier this year, we faced a growing volume of infections related to a vulnerability in outdated versions of the Newspaper and Newsmag themes. The infection type was always the same: malicious JavaScript designed to display unauthorized pop-ups or completely redirect visitors to spammy websites, which the hackers then monetized through advertisement views. This month we More Info »

Malicious Cryptominers from GitHub

Recently, a webmaster contacted us when his AVG antivirus reported that the JS:Miner-C [Trj] infection was found on their site. Our investigation revealed a hidden iframe had been injected into the theme’s footer.php file: <iframe src="hxxps://wpupdates.github[.]io/ping/” style=”width:0;heigh:0;border:none;”> When we opened the URL in a browser, the page was blank. After checking the HTML source code, More Info »

Cloudflare[.]Solutions Keylogger on Thousands of Infected WordPress Sites

A few weeks ago, we wrote about a massive WordPress infection that injected an obfuscated script pretending to be jQuery and Google Analytics. In reality, this script loaded a CoinHive cryptocurrency miner from a third-party server. We also mentioned a post written back in April that described the cloudflare.solutions malware, which came along with the cryptominers. More Info »