Wordfence and PatchStack security analysts reported a large-scale distribution of a weaponized WordPress plugin shared via a fake WordPress security advisory. The threat follows the chain below:
Victims are directed to a fake WordPress landing page - "en-gb-wordpress[.]org" - which mimics the legitimate WordPress website.
Victims are lured to install a "patch" plugin containing malicious code that triggers the exploitation of a remote code execution vulnerability tracked by Wordfence and PatchStack as CVE-2023-45124.
The patch plugin creates a hidden admin user named "wpsecuritypatch" and sends information about the victim to the attackers' command and control server (C2) at "wpgate[.]zip."
The backdoor has the capability to connect to wpgate[.]zip to download additional threats, including a file named wp-autoload.php in the webroot.
The phishing scheme was quite complex and attempted to trick victims by showing a likely inflated download count (allegedly "500,000") for the malicious plugin.