The Wordfence Threat Intelligence Team has issued a warning about a new phishing campaign targeting WordPress users.
The emails appear to be from the WordPress security team and claim to warn users about a critical Remote Code Execution (RCE) vulnerability on their website, identified by the non-existent CVE-2023-45124.
The emails urge recipients to download and install a “Patch” plugin to fix the vulnerability. However, this plugin is malware that, once installed, grants attackers full control of the website. They can then steal data, inject spam, or launch further attacks.
The Download Plugin link redirects the victim to a convincing fake landing page at en-gb-wordpress[.]org:
If the victim downloads the plugin and installs it on their WordPress site, the plugin is installed with a slug of wpress-security-wordpress and adds a malicious administrator user with the username wpsecuritypatch.
It then sends the site URL and generated password for this user back to a C2 domain: wpgate[.]zip. The malicious plugin also includes functionality to ensure that this user remains hidden. Additionally, it downloads a separate backdoor from wpgate[.]zip and saves it with a filename of wp-autoload.php in the webroot. This separate backdoor includes a hardcoded password that includes a file manager, a SQL Client, a PHP Console, and a Command Line Terminal, in addition to displaying server environment information:
This allows attackers to maintain persistence through multiple forms of access, granting them full control over the WordPress site as well as the web user account on the server.
