The malicious plugins are cleverly disguised as legitimate ones, often using names similar to well-known plugins like Wordfense Security and LiteSpeed Cache.

A list of identified malicious plugins includes LiteSpeed Cache Classic and MonsterInsights Classic, among others, some of which have generic names that could easily mislead users.

One notable fake plugin involved in this campaign is the 'Universal Popup Plugin,' which injects malicious JavaScript into the site's HTML.

This injected script is designed to load further malicious code from a Binance Smart Chain smart contract, enabling the display of deceptive banners.

The ClickFix campaign has gained traction, utilizing fake error banners that target popular platforms such as Google Chrome, Google Meet, and Facebook.

Since 2023, the ClearFake campaign has emerged, showcasing fake web browser update banners on compromised websites.

In 2024, the ClickFix campaign was introduced, mimicking software error messages that ultimately lead to malware installation.

WordPress site administrators are strongly advised to check for unknown plugins and reset their admin passwords if they encounter any fake alerts.

While the exact methods for obtaining these credentials remain unclear, possibilities include brute force attacks, phishing, or leveraging existing information-stealing malware.

GoDaddy has reported that over 6,000 WordPress sites have been compromised by threat actors associated with the ClearFake and ClickFix campaigns, which involve the installation of malicious plugins that generate fake alerts.

These hackers are exploiting stolen admin credentials to log into WordPress sites and automate the installation of malicious plugins that display fake software updates and errors.