WordPress administrators are currently facing a highly sophisticated email campaign that exploits a non-existent vulnerability, labeled as CVE-2023-45124. Crafted to deceive, these malicious emails pretend to be official WordPress communications, falsely notifying site administrators of a critical remote code execution (RCE) flaw. Security experts from Wordfence and PatchStack have uncovered this deceptive campaign, aiming to warn and educate WordPress users about this perilous threat.
Nature and Actions
The deceptive emails present a fabricated security issue, prompting recipients to address the purported vulnerability by downloading and installing a plugin provided within the message. Upon clicking the ‘Download Plugin’ button, victims are directed to a meticulously crafted fraudulent landing page, masquerading as the legitimate ‘wordpress.com’ site. This deceptive page showcases a fraudulent plugin entry, boasting an exaggerated download count of 500,000 and concocted user reviews praising its effectiveness in resolving compromised sites and thwarting hacker attacks.
Once installed, this malicious plugin, disguised as a security patch, initiates a series of nefarious actions. It clandestinely creates a hidden admin user named ‘wpsecuritypatch’ and transmits victim information to the attackers’ command and control server (C2) located at ‘wpgate[.]zip.’ Subsequently, the plugin downloads a base64-encoded backdoor payload from the C2, saving it as ‘wp-autoload.php’ in the website’s webroot.
This sophisticated backdoor presents multifaceted functionalities, including file management capabilities, a SQL client, a PHP console, and a command line terminal. Additionally, it gathers detailed information about the server environment, sending it back to the attackers.
Dangers to User Security
The dangers posed by this malicious plugin are grave. It remains hidden from the list of installed plugins, requiring a manual search within the site’s root directory for removal. While the specific intentions of this plugin are not fully disclosed, security analysts speculate on its potential malicious purposes, ranging from injecting ads, redirecting visitors, stealing sensitive information, to potentially blackmailing website owners by threatening to leak database contents.
Dealing with the Consequences of Infection
Removal Steps
- Identify the Malicious Plugin: Search the site’s root directory for suspicious files or the ‘wp-autoload.php’ file.
- Remove the Malicious Files: Delete any suspicious files associated with the plugin.
- Reset Admin Credentials: Change passwords and usernames, eliminating any traces left by the malicious plugin.
Preventive Measures
- Verification of Source: Always verify the authenticity of communications and avoid clicking on links or downloading attachments from suspicious emails.
- Regular Scans and Updates: Perform regular security scans and keep WordPress, plugins, and themes updated.
- Use Trusted Sources: Only download plugins or themes from reputable sources within the official WordPress repository.
Conclusion
The deceptive campaign exploiting the non-existent CVE-2023-45124 poses a severe threat to WordPress sites, allowing attackers to infiltrate, compromise, and potentially manipulate websites for malicious purposes. Vigilance, regular security checks, and cautious handling of communications are crucial in preventing such sophisticated threats from undermining the security and integrity of WordPress sites.
