Security researchers have uncovered a large campaign that is hijacking vulnerable WordPress websites and using them to spread malware to visitors. Researchers from Rapid7 say the campaign likely started in December 2025 and has already compromised more than 250 websites worldwide. The list of affected sites includes regional media outlets, small business websites, and even the official website of a US Senate candidate.
According to Rapid7, attackers are scanning the internet for WordPress websites with security weaknesses. These weaknesses can include poor admin passwords, outdated plugins, or themes with known vulnerabilities. Once attackers gain access to a site, they do not visibly change the website. Instead, they quietly insert a fake Cloudflare verification page that appears when someone visits the site for the first time.
Since Cloudflare CAPTCHA pages are commonly used to verify visitors, many users do not find it suspicious. The fake verification page asks users to complete a CAPTCHA check. However, the process is very different from a normal verification step.
Instead of clicking a checkbox, visitors are asked to copy and paste a command into the Windows Run dialog. When users run the command, malware gets downloaded and executed on their system.
This method tricks users into installing the malware themselves. The malware used in this campaign is an infostealer. It is designed to collect sensitive information from infected systems. The stolen data can include login credentials, authentication cookies, cryptocurrency wallet information, and other personal details.
Rapid7 says the large number of compromised websites suggests the campaign is highly automated. The attackers do not appear to be targeting a specific industry. Instead, they are taking advantage of poorly secured WordPress websites across different sectors.
The researchers believe the operation is part of an organized and long-term cybercriminal effort aimed at spreading malware and stealing sensitive data from unsuspecting users.
