Hackers are using stolen credentials to infect WordPress sites with bogus plugins that deliver malware and infostealers to end users via fake browser update prompts.
The malicious campaign, based on a new variant of the ClickFix fake browser update malware, has infected more than 6,000 sites with fake WordPress plugins since June 2024. Overall, ClickFix has now compromised more than 25,000 sites since August 2023, according to the GoDaddy security team.
No known vulnerabilities are being exploited to deliver the bogus plugins; the hackers simply seem to be using stolen credentials.
“Log analysis reveals that the installation of counterfeit WordPress plugins did not directly exploit any known vulnerabilities within the WordPress ecosystem,” the GoDaddy advisory said. “Instead, attackers possessed legitimate WordPress admin credentials for each compromised site.”
The plugins are “designed to appear harmless to website administrators,” but site visitors could be shown fake browser updates and other malicious prompts.
The plugins inject malicious JavaScript that contains “a known variation of fake browser update malware that uses blockchain and smart contracts to obtain malicious payloads,” known as EtherHiding. When executed in the browser, the JavaScript delivers fake browser update notifications that guide users to install malware on their machines, typically remote access trojans (RATs) or info stealers like Vidar Stealer and Lumma Stealer.
The fake plugins use generic names such as “Advanced User Manager” or “Quick Cache Cleaner,” and their directories contain only 3 small files: index.php, .DS_Store, and a -script.js file with a variation typically based on the name of the plugin.
Those naming schemes led to the discovery of other malicious plugins:
| Plugin name | Injected script |
| Admin Bar Customizer | admin-bar-customizer/abc-script.js |
| Advanced User Manager | advanced-user-manager/aum-script.js |
| Advanced Widget Manage | advanced-widget-manage/awm-script.js |
| Content Blocker | content-blocker/cb-script.js |
| Custom CSS Injector | custom-css-injector/cci-script.js |
| Custom Footer Generator | custom-footer-generator/cfg-script.js |
| Custom Login Styler | custom-login-styler/cls-script.js |
| Dynamic Sidebar Manager | dynamic-sidebar-manager/dsm-script.js |
| Easy Themes Manager | easy-themes-manager/script.js |
| Form Builder Pro | form-builder-pro/fbp-script.js |
| Quick Cache Cleaner | quick-cache-cleaner/qcc-script.js |
| Responsive Menu Builder | responsive-menu-builder/rmb-script.js |
| SEO Optimizer Pro | seo-optimizer-pro/sop-script.js |
| Simple Post Enhancer | simple-post-enhancer/spe-script.js |
| Social Media Integrator | social-media-integrator/smi-script.js |
“The underlying plugin code remains deliberately simplistic to avoid raising red flags,” the advisory said. A hook for the wp_enqueue_scripts action is manipulated to load a harmful script from the plugin directory into WordPress pages.
.DS_Store is short for Desktop Services Store, hidden files that the macOS Finder application creates to store folder preferences. The fake plugin .DS_Store files don’t contain any information but can be used as an indicator of compromise (IoC):
The script filenames contain identical content and can be identified by their hash:
The GoDaddy advisory notes that the presence of valid WordPress admin credentials suggests that the hackers used methods to obtain the credentials, such as brute-force attacks, phishing campaigns, or perhaps even malware or infostealer infections on the website admins’ computers.
The advisory didn’t say, but presumably multi-factor authentication would offer some protection against the stolen credentials being misused, along with other access controls such as device ID, health and location.
Weekly roundup on cybersecurity trends: AI-driven attacks, ransomware incidents, supply chain breaches, and key global security updates in 2026.
Fragnesia is a Linux Kernel flaw in XFRM ESP-in-TCP that enables local attackers to gain root access through page-cache corruption.
Researchers found malicious node-ipc tarballs containing a credential stealer that exfiltrated sensitive developer data via DNS TXT queries.
The company explained that it delayed full certificate revocation until June 12 to avoid disrupting legitimate users.
The Exim BDAT vulnerability impacts Exim 4.97–4.99.2 using GnuTLS, exposing mail servers to memory corruption risks.
Registered attendees will also receive a complimentary copy of the Americas Threat Landscape Report – Q1 2026.
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More