Fake WordPress Patch Plugin Phishing Scam Tricks Users Into Installing Backdoor Plugin on WordPress

by nativetechdoctor
2 minutes read

Wordfence has reported a phishing campaign targeting WordPress users with an email claiming to be from the WordPress team and warning of a remote code execution vulnerability with the identifier CVE-2023-45124. However, this identifier is not a valid CVE. The email prompts the victim to download and install a “Patch” plugin.

credit:wordfence

but instead, it redirects victims to a convincing fake landing page at en-gb-wordpress[.]org. It is recommended to be cautious and not download or install any suspicious plugins.

credit:wordfence

The plugin, disguised as a security update, is installed with a slug of “wpress-security-wordpress” and adds a malicious administrator user with the username “wpsecuritypatch”. The plugin sends the site URL and generated password for this user back to a C2 domain, wpgate[.]zip. Additionally, the plugin downloads a separate backdoor, wp-autoload.php, from the C2 domain and saves it in the webroot. This backdoor includes a hardcoded password and provides a file manager, SQL client, PHP console, and command line terminal, as well as displaying server environment information.

credit:wordfence

This vulnerability allows attackers to maintain access to the WordPress site and server even after a successful login attempt. This can lead to full control over the site and server, posing a significant security risk.

Source: wordfence

Related Posts

Leave a Comment

Discover more from freewareshome

Subscribe now to keep reading and get access to the full archive.

Continue reading

Adblock Detected

Please support us by disabling your AdBlocker extension from your browsers for our website.