WordPress checkout pages have been targeted with a novel credit card skimmer payload concealed as a table entry through database injection, circumventing detection by file-scanning security systems, SC Media reports.
Securi said activation of the malicious JavaScript code injected in the wp_options table in websites with "checkout" and not "cart" in their URLs is followed either by the creation of spoofed payment forms or the real-time capturing of details from legitimate payment forms. The researchers said the gathered data then gets obfuscated with base64 encoding and AES-CBC encryption before being exfiltrated while ensuring continuous browsing on the side of the victim.
These findings should prompt WordPress site admins to not only monitor and remove suspicious code, but also ensure that their themes and plugins are up-to-date, researchers said. Admins have also been urged to protect WordPress sites with web application firewalls, robust credentials, and two-factor authentication to avert potential site compromise.
