Pierluigi Paganini
January 13, 2025
Sucuri researchers warn of a stealthy credit card skimmer campaign targeting WordPress e-commerce sites by injecting malicious JavaScript into CMS database tables.
The attackers hide the malicious code in the WordPress wp_options table, injecting obfuscated JavaScript into widget_block to evade file scans and maintain persistence.
“The malicious code was embedded in the WordPress database under the wp_options table, specifically in the row:
option_name: widget_block
option_value: Contains obfuscated JavaScript code.” reads the post published by Sucuri.
“By injecting itself into the database rather than theme files or plugins, the malware avoids detection by common file-scanning tools. This allows it to persist quietly on compromised WordPress sites.”
The experts discovered that the malicious was injected into the HTML block widget through the WordPress admin panel (wp-admin > widgets).
The JavaScript code specifically targets checkout pages, activating when a user is about to enter payment details. The malicious code dynamically generates a fake payment screen mimicking legitimate processors like Stripe, designed to capture sensitive information such as credit card details and billing information. Alternatively, the script can also intercept data entered on real payment screens in real time for broader compatibility.
“The script checks if the page URL contains “checkout” while excluding “cart.” This ensures the malware only activates when users are ready to submit their payment details. It dynamically creates a fake payment form that mimics legitimate payment processors (e.g., Stripe). The form includes fields for credit card number, expiration date, CVV, and billing information. If a legitimate payment form is already on the page, the script captures data entered into these fields in real time.” reads the report published by Sucuri.
“This approach ensures that users unknowingly provide their sensitive payment details to the attacker.”
The credit card skimmer encodes stolen data in Base64 format and encrypts them with AES-CBC to make it appear harmless and make the analysis harder. The data is finally transmitted to an attacker-controlled server (“valhafather[.]xyz” or “fqbe23[.]xyz”).
To remove the malware, log into your WordPress admin panel and navigate to wp-admin > Appearance > Widgets. Inspect all Custom HTML block widgets for any suspicious or unfamiliar <script> tags.
“This credit card skimmer demonstrates how attackers are evolving their techniques to hide malware within WordPress databases and target sensitive checkout processes.” concludes the report. “By injecting fake payment forms or hijacking existing ones, they can silently exfiltrate payment details without detection.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, credit card skimmer)
