Sophisticated Formjacking Malware Targets WooCommerce Stores: A Growing Threat

The Wordfence Threat Intelligence team recently uncovered a highly sophisticated formjacking malware targeting WooCommerce websites, posing a significant risk to online retailers and their customers. This stealthy malware injects fraudulent payment forms into checkout pages, seamlessly blending with legitimate site designs to steal sensitive customer data, such as credit card details, and send it to a remote Command & Control (C2) server. Unlike traditional card skimmers that merely overlay existing forms, this malware integrates directly into the payment workflow, making it exceptionally difficult for both site owners and users to detect.

The malicious script was first reported to Wordfence by a user on April 24, 2025, via email. Following analysis, the team developed a detection signature, which was refined and released to Wordfence Premium users on May 6, 2025, after a thorough quality assurance process. Users of the free Wordfence version will gain access to this signature on June 5, 2025, following the standard 30-day delay. The malware’s deceptive nature lies in its professional appearance—it mimics legitimate JavaScript with clean formatting, consistent indentation, and innocuous variable names, making it look like a standard component of a theme or plugin. Its key function, renderForm(), generates a fake yet professional-looking payment form that blends seamlessly into the checkout process, evading visual suspicion.

Wordfence’s robust security solutions, including its plugin and CLI scanners, detect over 99% of known threats, leveraging a Threat Intelligence database containing over 4.3 million unique malicious samples. For affected sites, Wordfence Care and Response services offer comprehensive malware removal and incident response, identifying the root cause and addressing related issues. The Wordfence CLI, which operates independently of WordPress, serves as a powerful server-level detection tool, reinforcing a layered security approach to protect e-commerce platforms.

This malware underscores the evolving sophistication of cyber threats targeting online stores. Its ability to mimic legitimate code and integrate into the checkout process highlights the need for vigilant monitoring and proactive security measures. E-commerce site owners and customers alike must stay informed and take steps to safeguard their data against such covert attacks.

How to Protect Yourself

To protect yourself you can try any of the following:

• Install browser extensions like uBlock Origin to monitor and block suspicious network activity
• Use browser developer tools to inspect network requests during checkout for unauthorized data transmissions
• Check if the checkout page behaves differently than normal – watch for unexpected pop-ups, unusual permission requests, or layout changes
• When possible, allow use of virtual credit cards or secure payment providers like PayPal that mask the actual card details
• Consider using disposable payment cards for online transactions to limit exposure
• Monitor your bank statements regularly for unauthorized charges
• Clear browser cache and cookies after making purchases on potentially compromised sites
• Use a dedicated browser or private browsing session for financial transactions