BrianKrebs: This is pretty clever. A phish going around spoofing WordPress and telling people to install a security update that references a fake CVE. In this case, the “patch” is a website backdoor.
image: The fake message from WordPress says the WP security team discovered a remote code execution flaw in your site, and that WordPress has made available a patch for the flaw – CVE-2023-45124 — which doesn’t exist. The “patch” is actually a website backdoor.
I removed the URL as perusing this later gave an error in viewing.
This boost leads to PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin which talks about how it is delivered, the fact it leads to a CVE which doesn’t exist, and leaves a backdoor within the site.
Usually plug ins that Worpress offers can be installed through your WordPress interface or gotten as a zip file through official channels.
The fact that the WordPress security team would have your email address would be fishy enough, because only your instance has that info and emails you accordingly.
If you turn on auto updates, our web host will install the updates when WordPress pings for updates.
You can install a plug in or theme from a link, but make sure you trust its source.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.