A deceptive security advisory is being sent to WordPress site administrators, claiming to alert them about a non-existent vulnerability, CVE-2023-45124. This false alarm is being used as a vehicle to infect sites with a harmful plugin. The scam was identified and reported by security experts at Wordfence and PatchStack, who have issued warnings on their respective websites to increase awareness.
The fraudulent emails are designed to appear as if they are sent by WordPress. They warn the recipient about a critical remote code execution (RCE) flaw allegedly detected on their site, and prompt them to download and install a plugin purportedly designed to fix the security issue.
Clicking on the 'Download Plugin' button in the email directs the user to a counterfeit landing page, 'en-gb-wordpress[.]org', which is designed to closely resemble the legitimate 'wordpress.com' site. The listing for the bogus plugin displays a seemingly exaggerated download count of 500,000, and includes numerous fabricated user reviews praising the patch for restoring their compromised site and protecting against hacker attacks.
The majority of the user reviews are five-star ratings, but there are also four-, three-, and one-star reviews included to make it seem more believable. Once installed, the plugin creates a concealed admin user named 'wpsecuritypatch' and transmits data about the victim to the hackers' command and control server (C2) at 'wpgate[.]zip.'
Subsequently, the plugin retrieves a base64-encoded backdoor payload from the C2 and stores it as 'wp-autoload.php' in the website's webroot. The backdoor provides file management capabilities, a SQL client, a PHP console, and a command line terminal, and reveals detailed information about the server environment to the hackers.
The harmful plugin is designed to conceal itself from the list of installed plugins, so a manual search in the site's root directory is necessary to remove it. The ultimate purpose of the plugin is currently unknown. However, PatchStack hypothesizes that it could potentially be used for injecting ads on compromised sites, redirecting visitors, stealing sensitive information, or even blackmailing owners by threatening to publicize their website's database contents.