A stealthy backdoor has been discovered in WordPress installations, specifically targeting the mu-plugins directory. This malware leverages the must-use plugin mechanism to ensure automatic activation and persistence.

A new stealthy PHP malware campaign has been discovered targeting WordPress websites. The malware leverages the `zip://` PHP wrapper to include obfuscated malicious code from a ZIP archive embedded in the WordPress core file `wp-settings.php`.

A stealthy malware campaign has been discovered targeting WordPress websites to deliver a Windows-based RAT through a PHP backdoor. The infection chain involves a malicious ZIP archive containing the trojan executable.

A campaign targeting WordPress websites involves attackers brute-forcing wp-admin credentials to deploy spam posts and pages for blackhat SEO purposes. The attackers use two malicious plugins to conceal their activity and maintain persistent access.

A malicious WordPress plugin named php-ini.php was discovered that conditionally created a malicious admin user on infected websites. The plugin mimicked the legitimate wpforms plugin but only included a single file.

A new malicious WordPress plugin named wordpress-player.php has been discovered, designed to covertly redirect site visitors to suspicious domains. At least 26 websites have been confirmed as infected, indicating a growing campaign.

A malicious WordPress plugin named wp-runtime-cache has been discovered masquerading as a caching plugin to steal admin credentials. The plugin is hidden from the admin panel and lacks author and URL metadata.

A malicious WordPress plugin disguised as "Yoast SEO" was found injecting a fake "Java Update" pop-up to trick users into downloading malware. The plugin injects JavaScript into the of pages, avoiding macOS, mobile, and Safari users.

A fake Google Meet page was discovered, designed to trick users into running a malicious PowerShell command under the guise of fixing a "Microphone Permission Denied" error.

A new malware campaign is targeting WordPress sites by impersonating a Cloudflare verification page. This multistage infection uses social engineering and obfuscated PowerShell commands to deliver a malicious Windows executable