Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner.
The malicious script is being loaded from the cloudflare.solutions domain, which is not related to the real Cloudflare, and logs anything that users type inside form fields as soon as the user switches away from an input field.
The script is loaded on both a site's frontend and backend, which means that it can log username and password when logging into the admin panel of the site.
The script is dangerous when running on the frontend because on most WordPress sites the only place it could steal user data is from comment fields, and some WordPress sites are configured to work as online stores as well. In these cases, hackers can steal credit card data and other personal users information.
These attacks are not new, and Sucuri cybersecurity firm has detected three different malicious scripts hosted on the cloudflare.solutions domain.
In the last series of attacks, hackers have retained the cryptojacking script, but have also added the keylogger.
The script is active on nearly 5,500 WordPress sites
According to PublicWWW, this malicious version of the script is currently active on 5,496 sites.
The two malicious scripts that are known to load the keylogger are:
The stolen data is sent to wss://cloudflare[.]solutions:8085/.
If your site is infected, be aware that the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.
Since it's a keylogger, in fact, all WordPress passwords are compromised, so the next mandatory step of the cleanup is changing the passwords.