WordPress Bug 'Patch' Installs Backdoor for Full Site Takeover

Attackers are targeting WordPress users with a fake security alert that warns of a fabricated remote code execution (RCE) flaw; it offers a "patch" that in actuality spreads malicious code that can hijack the site.

The email campaign, identified by researchers at both Wordfence and Patchstack, impersonates WordPress and warns users of a vulnerability, CVE-2023-45124, urging them to click on a link to download a plugin that will fix the flaw.

"This is not a legitimate email and the plugin that they are asking you to download and install will infect your website with a backdoor and malicious administrator account," Patchstack warned users in a blog post about the campaign.

Attackers can use the backdoor to conduct malicious activity, such as injecting advertisements into the site, redirecting users to a malicious site, or stealing billing info, according to Patchstack. They also can leverage it for distributed denial of service (DDoS) attacks, or can blackmail site owners by making a copy of the site's database and then holding it hostage for a cryptocurrency payment.

The good news is that so far, it does not appear as if any targets have been infected by the campaign, which requires user action to be successful, the researchers noted.

Moreover, attackers aim to get users to do their dirty work for them by informing victims who install and activate the plugin that "CVE-2023-45124 has been patched successfully” and then encouraging them to share the "patch" with "people you think might be affected by this vulnerability," according to Patchstack.

Protect Your WordPress Site

With hundreds of millions of websites built on WordPress, the platform and its users represent a large attack surface for threat actors and thus are frequent targets of malicious campaigns via plugins that install malware or phishing campaigns that target WordPress users — or, in this case, both. Attackers also tend to quickly pounce on flaws that are discovered in WordPress, a risk of which the current campaign takes full advantage by luring users with the threat of a potentially exploitable vulnerability.

Current indicators of compromise that a site has been infected include the creation of a user with the username "wpsecuritypatch"; the presence of a file called "wp-autoload.php" in the root folder of the WordPress site; the existence of a folder called "wpress-security-wordpress" or "cve-2023-45124" in the /wp-content/plugins/ folder; and outgoing requests sent to wpgate[.]zip, the attacker-controlled site, according to Patchstack.

However, these variables could change depending on the whim of attackers, the researchers warned. "Tomorrow they could very well have the username set to something else or set up another malicious domain name," according to the post.

Wordfence plans to release a future post taking a deeper dive into the plugin and backdoor. For now the researchers warned users that they should be on the lookout for the phishing email associated with the campaign and avoid clicking on any links contained within, even an "unsubscribe" link.