top of page
  • Clipeus

Fake Wordpress Advisory Spreads Backdoor

Wordfence and PatchStack security analysts reported a large-scale distribution of a weaponized WordPress plugin shared via a fake WordPress security advisory. The threat follows the chain below:

  • Victims are directed to a fake WordPress landing page - "en-gb-wordpress[.]org" - which mimics the legitimate WordPress website.

  • Victims are lured to install a "patch" plugin containing malicious code that triggers the exploitation of a remote code execution vulnerability tracked by Wordfence and PatchStack as CVE-2023-45124.

  • The patch plugin creates a hidden admin user named "wpsecuritypatch" and sends information about the victim to the attackers' command and control server (C2) at "wpgate[.]zip."

  • The backdoor has the capability to connect to wpgate[.]zip to download additional threats, including a file named wp-autoload.php in the webroot.

The phishing scheme was quite complex and attempted to trick victims by showing a likely inflated download count (allegedly "500,000") for the malicious plugin.


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page