It looks like an outdated plugin which has since been purged. We are in the process of developing a new site.
1 Like
I’ve had one of my client’s sites infected with same stuff, and been looking for the source of the infection for days. Disabling all the plugins and theme doesn’t help, as well as reinstalling the wordpress core, which leaves me with the choice of reinstalling all the plugins from the WP repo and the creators’ websites. I’ve ended up temporarily muting the popup by pre-emptively setting the cookie and localstorage vars.
@david could you please tell which plugins you purged?
well done @PatrickH123 , i hope the invoiceninja’s awarded you some PRO invoicing plan for life or something similar 
1 Like
We believe the vector was the elementor-pro plugin. We had to get Sucuri to perform the clean on the wordpress installation, I would recommend reaching out to them if you want to save your installation.
@PatrickH123 thanks for reporting this, send us an email contact@invoiceninja.com and we’ll sort out a whitelabel license or pro plan.
4 Likes
I’ve found the root cause of the issue on my site - it was a folder named after a legit plugin name, but containing only one php file with a lot of unneeded code and some payload parts here and there. The legit plugin code was not present. The offending code was calling get_option() function to retrieve the actual payload from wp_option table, where several base64-encoded values were stored in human readable option names like “mobile_stylesheet” and “inputStyles”.
I’ve decoded the payload and went through it, pretty interesting way to store, propagate, and restore the payload. Have a read hello_newscript - 8d3b23a9
TLDR: find the plugin that doesn’t show in your wp-admin plugins page, but has a folder in wp-content/plugins/, and see if it is a legit code for that plugin or it’s a replacement that loads the payload from your DB.