WordPress Bug Patch Installs Backdoor for Full Site Takeover

A faux security alert purports to provide a fix for an RCE flaw, but instead creates a user with admin privileges and spreads a backdoor to infected sites.

Attackers are targeting WordPress users with a fake security alert that warns of a fabricated remote code execution (RCE) flaw; it offers a patch that in actuality spreads malicious code that can hijack the site.
The email campaign, identified by researchers at both
Wordfence
and
Patchstack,
impersonates WordPress and warns users of a vulnerability, CVE-2023-45124, urging them to click on a link to download a plugin that will fix the flaw.
This is not a legitimate email and the plugin that they are asking you to download and install will infect your website with
a backdoor
and malicious administrator account, Patchstack warned users in a blog post about the campaign.
Attackers can use the backdoor to conduct malicious activity, such as injecting advertisements into the site, redirecting users to a malicious site, or stealing billing info, according to Patchstack. They also can leverage it for distributed denial of service (DDoS) attacks, or can blackmail site owners by making a copy of the sites database and then holding it hostage for a cryptocurrency payment.
The good news is that so far, it does not appear as if any targets have been infected by the campaign, which requires user action to be successful, the researchers noted.
Moreover, attackers aim to get users to do their dirty work for them by informing victims who install and activate the plugin that CVE-2023-45124 has been patched successfully” and then encouraging them to share the patch with people you think might be affected by this vulnerability, according to Patchstack.
With hundreds of millions of websites built on WordPress, the platform and its users represent a
large attack surface
for threat actors and thus are frequent targets of malicious campaigns via
plugins
that install malware or phishing campaigns that target WordPress users — or, in this case, both. Attackers also tend to quickly
pounce on flaws
that are discovered in WordPress, a risk of which the current campaign takes full advantage by luring users with the threat of a potentially exploitable vulnerability.
Current indicators of compromise that a site has been infected include the creation of a user with the username wpsecuritypatch; the presence of a file called wp-autoload.php in the root folder of the WordPress site; the existence of a folder called wpress-security-wordpress or cve-2023-45124 in the /wp-content/plugins/ folder; and outgoing requests sent to wpgate[.]zip, the attacker-controlled site, according to Patchstack.
However, these variables could change depending on the whim of attackers, the researchers warned. Tomorrow they could very well have the username set to something else or set up another malicious domain name, according to the post.
Wordfence plans to release a future post taking a deeper dive into the plugin and backdoor. For now the researchers warned users that they should be on the lookout for the phishing email associated with the campaign and avoid clicking on any links contained within, even an unsubscribe link.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
WordPress Bug Patch Installs Backdoor for Full Site Takeover