An unusual strategy of cybercriminals leads to massive infection of websites with malicious code.
WordPress admins are receiving fake security notifications related to a non-existent vulnerability allegedly tracked under the ID CVE-2023-45124. The purpose of the attack is to infect sites with a malicious plugin.
Emails disguised as official messages from WordPress talk about a critical Remote Code Execution (RCE) vulnerability found on the administrator's site. WordPress users are being urged to install a plugin that supposedly solves a security problem.
Clicking on the "Download plugin" button leads to a fake page "en-gb-wordpress [.] org", which looks indistinguishable from the official site "wordpress.com". The page shows an inflated number of downloads of the plugin in 500 thousand downloads, as well as fake user reviews.
After installation, the plugin creates a hidden administrator named "wpsecuritypatch" and sends information about the victim to the attackers C2 server. The plugin then downloads and stores malicious code on the site.
The plugin is equipped with file management functions, an SQL client, a PHP console, and a command-line terminal. It also provides attackers with detailed information about the compromised server.
This software is also not displayed in the list of installed plugins, which makes it difficult to detect and remove it. At the moment, the purpose of using the plugin is unknown, but experts suggest that it can be used to embed ads on compromised sites, redirect visitors, steal confidential information, or even blackmail site owners by threatening to leak database contents.
WordPress security experts from Wordfence and PatchStack have published warnings on their websites to raise awareness among administrators and users about this threat. It is extremely important to exercise caution when installing unknown plugins and pay attention to suspicious emails.
WordPress admins are receiving fake security notifications related to a non-existent vulnerability allegedly tracked under the ID CVE-2023-45124. The purpose of the attack is to infect sites with a malicious plugin.
Emails disguised as official messages from WordPress talk about a critical Remote Code Execution (RCE) vulnerability found on the administrator's site. WordPress users are being urged to install a plugin that supposedly solves a security problem.
Clicking on the "Download plugin" button leads to a fake page "en-gb-wordpress [.] org", which looks indistinguishable from the official site "wordpress.com". The page shows an inflated number of downloads of the plugin in 500 thousand downloads, as well as fake user reviews.
After installation, the plugin creates a hidden administrator named "wpsecuritypatch" and sends information about the victim to the attackers C2 server. The plugin then downloads and stores malicious code on the site.
The plugin is equipped with file management functions, an SQL client, a PHP console, and a command-line terminal. It also provides attackers with detailed information about the compromised server.
This software is also not displayed in the list of installed plugins, which makes it difficult to detect and remove it. At the moment, the purpose of using the plugin is unknown, but experts suggest that it can be used to embed ads on compromised sites, redirect visitors, steal confidential information, or even blackmail site owners by threatening to leak database contents.
WordPress security experts from Wordfence and PatchStack have published warnings on their websites to raise awareness among administrators and users about this threat. It is extremely important to exercise caution when installing unknown plugins and pay attention to suspicious emails.
