A case of a fake WordPress vulnerability patch being distributed has been uncovered. This fake security patch is malware, and there are currently reported cases of emails to WordPress administrators containing links to this malware.
Overview of fake security patches that talk about CVE-2023-45124
This malware sends an email (phishing email) to WordPress administrators, urging them to apply a fake security patch with the following wording
"The WordPress Security Team has discovered a Remove Code Execution (RCE) vulnerability on your site, which allows attackers to execute malwares and steal your data, user details and more ..."
If you click on the link in the email
It will prompt you to download and install a plugin called CVE-2023-45124 Patch.
The page looks similar to the official WordPress site, and according to Sucuri, it has been confirmed to lead to the following domain
en-ca-wordpress[.]. org
en-za-wordpress[.] org org
en-nz-wordpress[.]] org
en-au-wordpress[.]] org
en-gb-wordpress[.]] org
en-us-wordpress[.]] org
wordpress.secureplatform[.]. org
wordpress.secureplugins[.]. org
The fake patch appears to be a zip file plugin with the following name
wpgate[.]. zip
wpsrv[.] zip zip
wpsys[.] zip zip
wpops[.]] zip
How to deal with
WordPress security patches are distributed through automatic updates to WordPress itself. They are never distributed as a plugin.
Ignore phishing e-mails that suggest you install a plugin as a security patch. Do not click on any links.
What if I have already installed it or may have?
Go to the WordPress admin page > Plugins > Plugins list and stop and remove the plugin WordPress Patch CVE-2023-45124 (or a similarly named plugin) if it exists.
We also recommend that you perform a malware scan and removal and security measures.
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
