Ongoing Fake CVE Phishing Campaign Targeting WordPress

Published on 05 Dec 2023 | Updated on 05 Dec 2023

There are reports regarding an ongoing phishing campaign targeting WordPress.

 The campaign involves the use of a phishing email warning victims of a Remote Code Execution (RCE) vulnerability on their website with a fake identifier of CVE-2023-45124, urging them to download a plugin that allegedly addresses the security issue. The plugin URL link embedded within the phishing email will redirect the victim to a fake landing page to download and install a malicious backdoor on their WordPress site which can be utilised in the future for further exploitation.

Indicators of Compromise (IOCs)

Possible indicators of compromise (IOCs) associated with the ongoing phishing campaign are shown below:

  • A wp-autoload.php file in the webroot with a SHA-256 hash of ffd5b0344123a984d27c4aa624215fa6452c3849522803b2bc3a6ee0bcb23809
  • A folder called wpress-security-wordpress or cve-2023-45124 exist in the /wp-content/plugins/ folder.
  • A hidden administrative user with a username of wpsecuritypatch
  • The following malicious domains:
  • en-gb-wordpress[.]org
  • wpgate[.]zip

Users and administrators are advised to be vigilant towards such phishing attempts and to not click on any links in the reported email, including the "Unsubscribe" link and the download button of the malicious plugin.

More information available here:

https://www.bleepingcomputer.com/news/security/fake-wordpress-security-advisory-pushes-backdoor-plugin/?fbclid=IwAR2e-Qeu2yAKLrI45ilmNj4GG5TPHqszjzpdp-IqXfd7fihGQeev6csw3SE

https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-scam-tricks-users-into-installing-backdoor-plugin/

https://patchstack.com/articles/fake-cve-phishing-campaign-tricks-wordpress-users-to-install-malware/