A large-scale phishing campaign is currently targeting WordPress users, with attackers sending emails claiming that a critical vulnerability (CVE-2023-45124) exists in their WordPress websites. The emails falsely inform users that a “Remote Code Execution” (RCE) vulnerability has been identified and urge them to install a “patch” created by the WordPress team. This alert is a scam, designed to trick users into downloading a malicious plugin that compromises their websites.
Fake Vulnerability Alert
Over the past few days, the Patchstack team has been monitoring multiple variations of phishing emails that deceive WordPress users into thinking their websites are vulnerable. The attackers claim that the vulnerability is associated with “CVE-2023-45124” and instruct users to apply an immediate fix. The email provides a download link to a plugin that supposedly patches the flaw, but this is a deliberate attempt to infect users with malware.
The critical point to note is that WordPress will never ask users to install a patch manually in the form of a plugin. Instead, legitimate WordPress updates are rolled out through official core updates. Users should always avoid downloading plugins from unofficial sources.
Malicious Plugin and Infection Process
When a user clicks on the download link in the phishing email, they are directed to a fake website that mimics the official WordPress.org site. The fraudulent site uses deceptive domain names such as wordpress.secureplatform.org and en-gb-wordpress.org. These domains are designed to look like the legitimate WordPress website, further convincing users of the validity of the scam.
Upon downloading the malicious file, which may be named something like cve-2023-45124.zip, and installing it, the plugin will display a message claiming that the vulnerability has been successfully patched. It will also encourage the user to share this patch with others, aiming to spread the infection.
However, the real consequences are much worse. The plugin creates a new administrator account on the infected WordPress site, using the username “wpsecuritypatch.” This account is granted full privileges, allowing the attackers to control the website remotely.
Remote Access and Future Exploits
Once the plugin is activated, it communicates with the attacker’s server through an HTTP GET request to a specific URL (e.g., wpgate.zip/wpapi), sending back base64-encoded data that includes the site’s URL and the password for the newly created administrator account. This process enables the attackers to gain full access to the site.
The attackers then place a backdoor in the form of a file in the site’s root directory. This file is designed to remain hidden and can be used at a later time to exploit the website further. Possible uses of the backdoor include:
Injecting malicious advertisements into the website.
Redirecting visitors to harmful sites.
Using the compromised websites to launch Distributed Denial-of-Service (DDoS) attacks.
Stealing sensitive information such as billing data.
Ransoming websites by encrypting databases and demanding cryptocurrency payments.
This backdoor shares characteristics with the widely known PAS backdoor, which has been described in public GitHub repositories, providing further evidence of the sophistication of the attack.
Indicators of Compromise
There are several key indicators that a WordPress site has been compromised by this phishing attack:
A new user account named “wpsecuritypatch” with administrator privileges.
A file located in the root folder of the WordPress installation.
A folder within the directory named either wpress-security-wordpress or cve-2023-45124.
Outbound requests sent to domains like wpgate.zip.
Users should be vigilant for these signs and take immediate action to secure their websites if any of these indicators are present.
Prevention and Mitigation
Patchstack is actively monitoring its customers’ logs and has added new rules in its “Advanced Hardening” module to prevent the installation of this malicious plugin. WordPress website owners are advised to:
Avoid downloading plugins from unsolicited emails or unfamiliar sources.
Regularly check user accounts for any unauthorized additions, particularly accounts with administrator privileges.
Scan their websites for suspicious files or changes in the core WordPress files.
Use trusted security plugins and keep their WordPress installation up-to-date to protect against known vulnerabilities.
If users suspect their site has been compromised or if they need help assessing the security of their website, they are encouraged to contact the Patchstack team for further assistance.
Conclusion
This phishing campaign highlights the ongoing risks posed to WordPress users by cybercriminals using deceptive tactics to gain control of websites. The attackers’ ability to impersonate the WordPress team and distribute malicious plugins underscores the importance of vigilance and awareness in maintaining website security. By following best practices for security and staying informed about emerging threats, users can better protect their sites from such attacks.
Related Topics
- Which SEO Plugin Is Best for Wordpress
- How to Find RSS Feed URL Wordpress
- Kinsta Introduces Automatic Plugin Updates for WordPress
