Note: cappuccicons.com is actively serving malware. Do not visit the domain in a browser. Treat any link to it in this advisory as a reference only.
Summary
WordPress VIP is publishing this advisory to inform customers of a security matter affecting sites that reference an external icon script from cappuccicons.com.
cappuccicons.com was previously used to host a popular icon script that has been embedded in custom themes and customer-authored content on sites across the web. The domain expired and was re-registered on 2026-05-18 by an unrelated party. The new owner is now serving malicious JavaScript from the domain, and any site that loads this script will redirect visitors to attacker-controlled destinations.
Impact
Sites are only affected if the reference is present in their database content — post content, custom HTML blocks, widgets, or similar customer-authored content. The observed behavior is visitors being redirected to malicious destinations.
If you have not received reports of unexpected redirects, and visiting your own site does not trigger one, your site may not be affected. Confirming that the URL is not present in your database is the only way to be certain.
What WordPress VIP Has Done
- Reviewed customer codebases and confirmed the reference is not present in code.
- Reported the malicious domain to Akamai (current host) and Google Safe Browsing.
- Contacted the domain registrar (Dynadot) and are awaiting a response.
Recommended Action
Customers should review their database content for any reference to cappuccicons.com and remove any references found.
Our Commitment
Security is core to the WordPress VIP platform. WordPress VIP will continue to monitor this situation and provide updates if further information becomes available.
For questions, please open a ticket with support@wpvip.com.