Fake WordPress Security Advisory Used to Deploy Malware and Backdoor

A fake WordPress advisory is making the rounds, trying to convince administrators that the WordPress security team contacts them and that they really need to install something. That something is, of course, malware.

When the security team from WordPress contacts you directly, you’d think it must be serious. No one wants a vulnerability in their website, so website administrators might jump at the opportunity to get ahead and fix any security issue. The problem is that they will create a security issue. The WordPress advisory is false, and they've just introduced malware into their websites.

Security researchers from Wordfence have discovered a new phishing scam pushing a fake warning regarding an inexistent CVE-2023-45124 that's supposedly plaguing WordPress websites.

Ironically, the message delivered in the phishing attack warns of data theft.

"The Wordpress Security Team has discovered a Remote Code Excecution (RCE) vulnerability on your site, that allows attackers to execute malicious code and steal your data, user details and more," the attackers explain in the email. As a side note, keep in mind that both 'Wordpress' and the word 'Excecution' have typos.

"As we are working on mitigating this critical security flaw in the next Wordpress update, we urge you to immediately use the CVE-2023-45124 Patch, a plugin created by the Wordpress Team. All you need to do is simply download, install and activate the plugin, to ensure a quick and trouble-free protection of your website's security against the potential exploits and malicious activities associated with this  vulnerability," the email concludes.

The message is accompanied by a download link that leads to a website that looks very convincing. If installed, the plugin adds a new administrator user named 'wpsecuritypatch' and connects back to the command and control server with the website address. According to the researchers, the plugin also downloads a backdoor, a file manager, an SQL client, a PHP console and a command line terminal.

The phishing attack doesn't seem to have claimed any victims so far, and it remains unclear what the attackers aim to do with all the tools and access. Given the level of access, they could use the website to host malware for other attacks or even inject malware directly into the victim's page.