December 4, 2023 at 12:19PM
WordPress security experts are warning of phishing emails with fake security advisories asking admins to install a malicious plugin, which creates a hidden user and downloads a backdoor to the site, potentially for injecting ads, stealing data, or blackmail. Users are urged to be cautious.
**Key Takeaways from Meeting Notes on Fake WordPress Security Advisory:**
1. A phishing campaign targeting WordPress administrators circulates fake WordPress security advisories about a non-existent vulnerability (CVE-2023-45124).
2. Experts from Wordfence and PatchStack have detected and reported the scam, issuing alerts to raise awareness among WordPress users.
3. The fraudulent emails claim to originate from WordPress, stating a critical remote code execution (RCE) flaw has been found and prompting admins to download a phony plugin as a fix.
4. The download link in the email leads to a fake WordPress landing page (‘en-gb-wordpress[.]org’) designed to mimic the authentic wordpress.com site.
5. The bogus plugin is presented with an inflated download count and fake user reviews to lend credibility to the scam.
6. Once installed, the plugin creates a concealed admin user (‘wpsecuritypatch’) and communicates with the attackers’ command and control server (‘wpgate[.]zip’).
7. It introduces a base64-encoded backdoor (‘wp-autoload.php’) into the website, allowing file management, database access, and detailed server information to be visible to the attackers.
8. The malicious plugin conceals itself within the website, necessitating a manual search in the site’s root directory for its removal.
9. The exact purpose of the malicious plugin is still unclear, but it may be involved in various malicious activities such as ad injections, data theft, or blackmail.
10. WordPress administrators should remain vigilant, disregard such phishing emails, and rely on official WordPress channels for security updates.