Dark Web Seller Offers Hacked WordPress Online Store Access for Sale

A threat actor has reportedly listed access to a compromised WordPress-based online store for sale on a dark web forum, according to a recent social media alert from cybersecurity watchdog DarkWebInformer.

The advertisement, which surfaced in late March 2025, claims the seller possesses administrative credentials and backdoor access to an e-commerce platform hosting over 15,000 customer records.

While the authenticity of the listing remains unverified, cybersecurity analysts warn this incident reflects broader trends in digital criminal markets, where stolen website access commands premium prices for follow-on fraud and data harvesting.

Technical Specifications of Alleged Breach

According to the post from DarkWebInformer, the seller’s post, analyzed by dark web monitoring groups, describes the compromised WordPress instance as running WooCommerce with multiple vulnerable plugins.

According to the listing, the threat actor leveraged a combination of brute-force attacks against weak administrator passwords and exploitation of unpatched vulnerabilities in the site’s contact form plugin.

The access package reportedly includes:

• SQL database credentials with read/write privileges
• WP-admin panel access via stolen session cookies
• File Transfer Protocol (FTP) credentials enabling code injection
• SSL private keys decrypting customer transaction data

Priced at 0.8 Bitcoin (~$35,000), the offering includes “technical support” to maintain persistence on the server—a service increasingly common in darknet markets catering to less-skilled cybercriminals.

Contextualizing WordPress Supply Chain Risks

This incident follows a documented escalation in WordPress-focused cybercrime, including the 2024 PhishWP plugin campaign that converted legitimate sites into phishing portals and the 2025 ClickFix malware distribution through fraudulent WordPress plugins.

Analysts at Cyble Research note that 38% of recent dark web e-commerce breaches involved WordPress vulnerabilities, with attackers prioritizing platforms using outdated versions of WooCommerce or Elementor.

The methodology aligns with the 2024 Mason Soiza campaign, where threat actors purchased abandoned WordPress plugins to insert backdoors, compromising 300,000+ sites for SEO spam and credential harvesting.

Wordfence researchers observed a 214% year-over-year increase in brute-force attacks against WordPress admin portals, with 22% of compromised sites subsequently used to host dark web marketplaces.

Dark Web’s Evolving Cybercrime Economy

Darknet markets now operate as full-service platforms for digital intrusion, with 2025 projections estimating $12 billion in annual transactions involving stolen website access.

Recorded Future’s Dark Web Intelligence division identifies three primary exploitation pathways for sold WordPress access:

1. Credit card triangulation fraud using intercepted customer data
2. Malware distribution hubs via injected malicious scripts
3. SEO poisoning campaigns boosting illegal pharmacy or counterfeit goods listings

The Congressional Research Service notes that access packages for WordPress sites with active customer bases sell for 2-3x the price of static credential lists, reflecting their utility in downstream attacks.

Mitigation Strategies for E-Commerce Operators

Cybersecurity firms recommend immediate actions for WordPress site administrators:

1. Credential rotation: Enforce 2FA for all admin accounts and API keys
2. Plugin audit: Remove unused extensions and implement WPScan monitoring for known vulnerabilities
3. Traffic analysis: Deploy behavioral analytics tools to detect abnormal admin panel access patterns
4. Dark web monitoring: Utilize services like SOCRadar to scan for exposed credentials and infrastructure mentions

As threat actors continue weaponizing WordPress’ market dominance—powering 43% of all websites—the incident underscores the critical need for proactive security hardening in e-commerce environments.

Verification requests sent to WordPress’ security team regarding the current claim remain unanswered as of publication.

Also Read: