The attacker lodged near the end of a JQuery file: ./wp-includes/js/jquery/jquery.js,”, “inserted before the ending jQuery.noConflict();.” The part of the script used to actually harvest the card details was found in the “./wp-includes/rest-api/class-wp-rest-api.php” file. It behaves like other PHP malware.
Once it’s scooped up the payment details, the malicious script saves both the payment-card numbers and CVV card security codes in plain text in the form of cookies. It then uses the legitimate file_put_contents function to collect them into two separate image files (a .PNG file and a JPEG). These are kept in the wp-content/uploads directory structure.