Saturday, May 3, 2025
HomeCyber Attack5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Published on

SIEM as a Service

Follow Us on Google News

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the intrusion method remains under investigation, with no common entry point identified. 

A malicious script creates unauthorized administrator accounts with the credentials ‘wpx_admin’ and a hardcoded password.

Subsequently, it downloads and activates a malicious WordPress plugin, compromising the website and enabling the exfiltration of sensitive data to a remote server.”

- Advertisement - Google News

The `createUser` function attempts to create a new user with the username “wpx_admin” and a hardcoded password within a WordPress environment. 

It first retrieves the CSRF token from the user creation page, and then it constructs a POST request with the user credentials and the CSRF token. The function logs the success or failure of the user creation operation.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

It downloads a plugin from a remote server activates it on the compromised website and then exfiltrates sensitive information, including admin credentials and operation logs, by sending them to another server via obfuscated image requests. 

By leveraging JSON to structure, it exfiltrated data and included additional information such as the victim’s website URL, timestamp, and user agent for better identification. 

In case the initial transmission attempt fails, the script implements a backoff retry mechanism to ensure successful exfiltration.

The attacker exploits admin access to upload a malicious plugin. First, the script retrieves the CSRF token from the WordPress plugin upload page. Subsequently, it downloads the malicious plugin file from a remote server. 

According to C/Side, using the acquired CSRF token, the script submits the downloaded malicious plugin file to the WordPress site for installation effectively compromises the website.

The script fetches a plugin from an external source and injects it into the victim’s website via a POST request to the `/wp-admin/update.php?action=upload-plugin` endpoint. To bypass security measures, the script retrieves a security token from the victim’s website using an initial GET request.

It fetches the website’s HTML content using the fetch API with credentials set to ‘include’ to access session cookies and then checks the fetched content for the presence of a string ‘wp3.xyz’ which indicates a malicious plugin installation. 

If found, a success message with a ‘Payload verified’ message is sent using the sendLog function. Otherwise, a failure message with a ‘Payload not found’ message is sent. 

The assumption that the malicious plugin injects a reference to its control server ‘wp3.xyz’ into the content of the website is the foundation upon which this verification technique is supported.

An attack was mitigated by blocking the malicious domain https://wp3[.]xyz on firewalls and auditing WordPress admin accounts for unauthorized users while suspicious plugins were removed and existing ones were validated. 

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

RansomHub Taps SocGholish: WebDAV & SCF Exploits Fuel Credential Heists

SocGholish, a notorious loader malware, has evolved into a critical tool for cybercriminals, often...

Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss

Cybersecurity researchers uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem...

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

RansomHub Taps SocGholish: WebDAV & SCF Exploits Fuel Credential Heists

SocGholish, a notorious loader malware, has evolved into a critical tool for cybercriminals, often...

Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss

Cybersecurity researchers uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem...

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...