The plugin has (at the moment) six different file system scanners, one of those is used to power the functionality of the “Core Integrity Checks”, this scanner only reads the content of the main WordPress directories [1] found in all the official archives. So there is a high probability that the modified file(s) is/are inside the content directory since the plugin is not reporting any core file as modified.
People usually hide their malicious code in themes, fake plugins, and tables of the database associated with the website, for WordPress-based sites they usually pick the options table because it is very easy to inject content there and make it appear in the frontend with the native WordPress functions.
Somehow it is good that you are experiencing this only when you are not logged in because it will be easier to spot the origin of the malware with a web scanner. Try to use the “Malware Scan” tool available in the plugin and see if it detects the signature of the malicious code, if not you can send the link of your site to this email [2] and do not for get to reference this ticket so my co-workers can forward the message to me.
[1] wp-admin, wp-includes, and the root directory.
[2] Sucuri Research [email protected]
