By REBECCA RUTHERFORD
For the Los Alamos Daily Post

If you’re a blogger, chances are you have used WordPress as a platform. It’s one of the biggest blogger platforms out there. If and when I start my blog about cats, cocktails and cybersecurity, I’ll probably even end up using it.

That said, WordPress is notoriously not so great from a security perspective. Outdated software, plugins and themes are one of the bigger contributors to this issue.

For the casual user, keeping everything up to date in WordPress can be challenging, but without these updates there can be some serious security issues.

And now scammers are exploiting users’ security fears in a WordPress themed phishing email. This campaign has been caught and reported by PatchStack, WordPress security experts.

WordPress admins are reportedly being emailed fake WordPress security advisories for a fake vulnerability tracked as “CVE-2023-45124” in attempts to infect sites with a malicious plugin.

The emails spoof WordPress, warning admins that a new critical remote code execution (RCE) flaw in the platform was detected on the admin’s site, asking them to download and install a plugin that will address the security issue.

Source PatchStack

What is an RCE?  Remote code execution (RCE) attacks will allow an attacker to remotely execute malicious code on a computer. Impact of an RCE vulnerability can range from malware execution to an attacker gaining total control over a compromised machine.

If users click the email’s “Download Plugin” button it takes the victim to a fake landing page at “en-gb-wordpress[.]org” that looks exactly like the legitimate “wordpress.com” site.

Source PatchStack

If you judge apps and plugins by user reviews and download count, this may look legit, but the download count and reviews are fake.

After installation, the malicious plugin creates a hidden admin user, and sends the victim’s information to the attacker’s C2 (command and control) server. What is a C2? Threat actors use C2s to send commands to their malware and to install malicious programs, malicious scripts, and more.

The plugin then downloads a base64 encoded backdoor payload. This backdoor allows the attackers control over the victim’s computer. The malicious plugin then hides itself from the list of installed plugins, requiring a manual search on the root directory to uninstall.

According to Patchstack, the end goal of this remains unclear, but they speculate that it might be used for injecting ads on compromised sites, performing visitor redirection, stealing sensitive information, or even blackmailing owners by threatening to leak their website’s database contents.

If you are a WordPress admin, be aware of this scam, and don’t click that link!

Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.