Fake WordPress Security Alert Used to Distribute Malicious Plugin

December 4, 2023

A deceptive security advisory is being sent to WordPress site administrators, claiming to alert them about a non-existent vulnerability, CVE-2023-45124. This false alarm is being used as a vehicle to infect sites with a harmful plugin. The scam was identified and reported by security experts at Wordfence and PatchStack, who have issued warnings on their respective websites to increase awareness.

The fraudulent emails are designed to appear as if they are sent by WordPress. They warn the recipient about a critical remote code execution (RCE) flaw allegedly detected on their site, and prompt them to download and install a plugin purportedly designed to fix the security issue.

Clicking on the 'Download Plugin' button in the email directs the user to a counterfeit landing page, 'en-gb-wordpress[.]org', which is designed to closely resemble the legitimate 'wordpress.com' site. The listing for the bogus plugin displays a seemingly exaggerated download count of 500,000, and includes numerous fabricated user reviews praising the patch for restoring their compromised site and protecting against hacker attacks.

The majority of the user reviews are five-star ratings, but there are also four-, three-, and one-star reviews included to make it seem more believable. Once installed, the plugin creates a concealed admin user named 'wpsecuritypatch' and transmits data about the victim to the hackers' command and control server (C2) at 'wpgate[.]zip.'

Subsequently, the plugin retrieves a base64-encoded backdoor payload from the C2 and stores it as 'wp-autoload.php' in the website's webroot. The backdoor provides file management capabilities, a SQL client, a PHP console, and a command line terminal, and reveals detailed information about the server environment to the hackers.

The harmful plugin is designed to conceal itself from the list of installed plugins, so a manual search in the site's root directory is necessary to remove it. The ultimate purpose of the plugin is currently unknown. However, PatchStack hypothesizes that it could potentially be used for injecting ads on compromised sites, redirecting visitors, stealing sensitive information, or even blackmailing owners by threatening to publicize their website's database contents.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.