WordPress Bug 'Patch' Installs Backdoor for Full Site Takeover

A faux security alert purports to provide a fix for an RCE flaw, but instead creates a user with admin privileges and spreads a backdoor to infected sites.

A mobile device with the WordPress logo and a blue background on the screen next to a computer screen open to the WordPress homepage
Source: Primakov via Shutterstock

Attackers are targeting WordPress users with a fake security alert that warns of a fabricated remote code execution (RCE) flaw; it offers a "patch" that in actuality spreads malicious code that can hijack the site.

The email campaign, identified by researchers at both Wordfence and Patchstack, impersonates WordPress and warns users of a vulnerability, CVE-2023-45124, urging them to click on a link to download a plugin that will fix the flaw.

"This is not a legitimate email and the plugin that they are asking you to download and install will infect your website with a backdoor and malicious administrator account," Patchstack warned users in a blog post about the campaign.

Attackers can use the backdoor to conduct malicious activity, such as injecting advertisements into the site, redirecting users to a malicious site, or stealing billing info, according to Patchstack. They also can leverage it for distributed denial of service (DDoS) attacks, or can blackmail site owners by making a copy of the site's database and then holding it hostage for a cryptocurrency payment.

The good news is that so far, it does not appear as if any targets have been infected by the campaign, which requires user action to be successful, the researchers noted.

Moreover, attackers aim to get users to do their dirty work for them by informing victims who install and activate the plugin that "CVE-2023-45124 has been patched successfully” and then encouraging them to share the "patch" with "people you think might be affected by this vulnerability," according to Patchstack.

Protect Your WordPress Site

With hundreds of millions of websites built on WordPress, the platform and its users represent a large attack surface for threat actors and thus are frequent targets of malicious campaigns via plugins that install malware or phishing campaigns that target WordPress users — or, in this case, both. Attackers also tend to quickly pounce on flaws that are discovered in WordPress, a risk of which the current campaign takes full advantage by luring users with the threat of a potentially exploitable vulnerability.

Current indicators of compromise that a site has been infected include the creation of a user with the username "wpsecuritypatch"; the presence of a file called "wp-autoload.php" in the root folder of the WordPress site; the existence of a folder called "wpress-security-wordpress" or "cve-2023-45124" in the /wp-content/plugins/ folder; and outgoing requests sent to wpgate[.]zip, the attacker-controlled site, according to Patchstack.

However, these variables could change depending on the whim of attackers, the researchers warned. "Tomorrow they could very well have the username set to something else or set up another malicious domain name," according to the post.

Wordfence plans to release a future post taking a deeper dive into the plugin and backdoor. For now the researchers warned users that they should be on the lookout for the phishing email associated with the campaign and avoid clicking on any links contained within, even an "unsubscribe" link.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights