Fake plugins are being deployed by threat actors by exploiting WordPress websites that have been compromised and have had their admin credentials stolen.
These malicious plugins inject JavaScript code that leverages blockchain and smart contracts to deliver malware payloads to unsuspecting website visitors, which is not linked to any vulnerabilities in the WordPress platform.
A new ClickFix variant targeting WordPress websites uses fake plugins to inject malicious JavaScript that presents users with fake browser update notifications, ultimately leading to malware installation and data theft. The campaign has been detected on thousands of sites worldwide since its discovery in 2023.
Researchers discovered malicious WordPress plugins with a consistent naming pattern for their JavaScript files, such as “Advanced User Manager” and “Quick Cache Cleaner,” contained malicious JavaScript files that injected harmful code into websites, affecting thousands of domains worldwide.
Fake WordPress plugins are systematically generated to inject malicious scripts into WordPress pages, which leverage the wp_enqueue_scripts hook to load scripts and mask their malicious intent with a seemingly harmless wp_head hook.
Malicious scripts with identical hashes inject a library to interact with a BSC smart contract, while a decoded contract fetches a fake browser update code from a TDS for specific visitors.
ClickFix attackers injected malicious JavaScript into WordPress sites over 3 months through fake plugins disguised as popular ones (e.g., LiteSpeed Cache Classic) or generic names, which used wp_head hook with high priority to inject the script near the top of the website’s <head> section.
Threat actors are increasingly using disposable Github and BitBucket repositories to host malicious payloads, which are often short-lived, but some can persist online. For example, the “BrowserUpdate” repository on Github, created in August 2024, remains active and potentially contains malicious code.
The attackers successfully exploited valid WordPress credentials to infiltrate multiple websites by using automated scripts to log into vulnerable sites, upload malicious plugins, and activate them within minutes, which indicate a highly organized and efficient attack campaign targeting WordPress installations worldwide.
They also used stolen WordPress admin credentials to install fake browser updates disguised as plugins, compromising multiple websites, where these malicious plugins did not exploit any known vulnerabilities in WordPress but leveraged the legitimate administrative access to gain control of the affected sites.
According to GoDaddy, the attackers likely used compromised credentials to install malicious plugins on the website, which were probably acquired through brute force attacks, phishing, or malware infections on the website owners’ computers.