Malicious JavaScript Injects Fullscreen Iframe On a WordPress Website

SUMMARY :

A JavaScript-based malware campaign has been discovered affecting compromised WordPress websites. The malware injects a fullscreen iframe that loads content from suspicious external domains, aiming to force users to view unsolicited content for ad fraud, traffic generation, or social engineering. The infection was found embedded in the WordPress wp_options database table, exploiting the WPCode plugin. The malicious script uses advanced evasion techniques like anti-debugging, function hijacking, and localStorage abuse. It selectively targets Windows users on specific browsers, displaying a fake Cloudflare CAPTCHA page that prompts users to run a suspicious PowerShell command. This attack not only intrudes on user experience but also poses significant security risks, potentially leading to system compromise and damage to website reputation.

OPENCTI LABELS :

javascript,wordpress,fake captcha,anti-debugging,iframe injection,wpcode plugin,powershell exploitation,fullscreen overlay


AI COMMENTARY :

1. Introduction to a Malicious JavaScript Campaign This month, security researchers uncovered a JavaScript-based malware campaign targeting compromised WordPress installations. The attack revolves around injecting a fullscreen iframe that silently loads content from suspicious external domains. Visitors to the infected site are forced to view unsolicited material, enabling threat actors to generate fake traffic, conduct ad fraud, or carry out social engineering schemes.

2. Infection Vector Through WPCode Plugin and wp_options Database The malicious payload is stealthily embedded in the wp_options table of the WordPress database, exploiting a vulnerability in the WPCode plugin. By gaining write access to this table, attackers ensure their script executes on every page load. Once the script is in place, it persists across theme updates and plugin reinstalls, making it difficult for administrators to remove without a detailed database inspection.

3. Sophisticated Evasion Techniques Beyond simple injection, the script employs advanced anti-debugging methods to thwart analysis. It hijacks native JavaScript functions and abuses localStorage to hide its true intentions. When executed, the code performs environment checks to confirm the browser and operating system match the attackers’ targets, skipping sandboxed or virtualized environments to avoid detection by security researchers.

4. Fake CAPTCHA and PowerShell Exploitation Instead of a benign CAPTCHA, Windows users on specific browsers are shown a counterfeit Cloudflare challenge. The overlay occupies the full screen, blocking any interaction with the genuine page content. When users attempt to solve the challenge, the script prompts them to execute a suspicious PowerShell command. Running this command risks downloading additional payloads capable of system compromise, credential theft, or lateral movement across networks.

5. Impact on User Experience and Website Reputation This iframe injection not only degrades the user experience by blocking legitimate content but also exposes visitors to potentially harmful downloads. A site’s reputation can suffer significant damage once users associate it with intrusive pop-ups and security warnings. Moreover, if the PowerShell command leads to a deeper compromise, the affected website may be blacklisted by search engines and security platforms, leading to loss of traffic and trust.

6. Detection, Mitigation, and Prevention To defend against this threat, administrators should immediately update or replace the WPCode plugin, and audit the wp_options table for unauthorized scripts. Implementing a strict Content Security Policy can prevent untrusted iframes from loading, and continuous file integrity monitoring will alert to unexpected changes. Educating site owners about fake CAPTCHA schemes and PowerShell exploitation is essential, as is maintaining regular backups and applying the principle of least privilege to database and file permissions.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Malicious JavaScript Injects Fullscreen Iframe On a WordPress Website