WordPress administrators are being targeted by a fake security advisory email campaign that exploits a fictitious vulnerability (CVE-2023-45124) to install a malicious plugin on their websites.
According to security researchers, the attackers sent deceptive emails to website administrators, pretending to be from WordPress. The email is a fake wordpress security advisory for a critical remote code execution (RCE) flaw. It encourages the download and install of a supposed security patch plugin. Clicking the ‘Download Plugin’ button redirects victims to a fake landing page mimicking the legitimate ‘wordpress.com’ site. The fake plugin, with a likely inflated download count and phony user reviews, creates a hidden admin user and sends victim information to the attackers’ server. The plugin downloads a backdoor payload, providing file management capabilities, a SQL client, a PHP console, and a command line terminal. The backdoor hides itself from the installed plugins list, requiring manual removal. While the operational goal of the plugin is unknown, it could potentially be used for various malicious activities, such as injecting ads, redirecting visitors, stealing sensitive information, or threatening website owners with database content leaks.
https://patchstack.com/articles/fake-cve-phishing-campaign-tricks-wordpress-users-to-install-malware/
https://www.bleepingcomputer.com/news/security/fake-wordpress-security-advisory-pushes-backdoor-plugin/
This segment was created for the It’s 5:05 podcast
https://505updates.com/2023-12-07-cybersecurity-and-open-source-headlines/