Wordress Vunerability

Paul Kelly ICHYB · Jan 7, 2024

Unusually, I have received 2 emails from WP re a vunerability, as follows:

----------------------

Dear user
The WordPress Security Team has found a critical vulnerability on the website: xxx

The Remote Code Execution (RCE) vulnerability found on your site is classified as a high-risk threat, potentially enabling malicious code execution and putting your data, user details, and overall site security at risk.

We urge you to apply the CVE-2024-46188 Patch immediately, as we are working on fixing this crucial security concern in the upcoming WordPress version.

Simply download the plugin by clicking the button below, install and activate it on your site. This establishes rapid and easy-going defense against potential exploits and malicious actions related with this vulnerability.

--------

This does appear very genuine, especially as the two sites in question use Jetpack (most of my others do not) and the download site is https://en.uk-wordpress.org/ - looks really reputable, but it isn't!

See here:

Alert: WordPress Security Team Impersonation Scams

The WordPress Security Team is aware of multiple ongoing phishing scams impersonating both the “WordPress team” and the “WordPress Security Team“ in an attempt to convince administrators to install…

wordpress.org

fisicx · Jan 7, 2024

I get a number of these now. Some telling me my own plugins need fixing with a link to download a security report.

Phishing emails of all sorts are prevalent.

DontAsk · Jan 7, 2024

A quick search on cce.org would show that CVE-2024-46188 does not exist.

NEVER click a link iin an e-mail for stuff like this. ALWAYS go direct to the vendors website and check for patches there.

Paul Kelly ICHYB · Jan 7, 2024

I forwarded the offensive email to the domain registrant and they wrote back 'can you provide proof/evidence of the naughtiness?'

antropy · Jan 8, 2024

Paul Kelly ICHYB said:
The WordPress Security Team has found a critical vulnerability on the website: xxx

This is one reason why people shouldn't use WordPress - whether this is genuine or not, vulnerabilities are so common.

The other is that other platforms are so much easier to use and modify.

Paul.

Paul Kelly ICHYB · Jan 8, 2024

antropy said:
The other is that other platforms are so much easier to use and modify.

That's subjective - I find Joomla better & easier than WP, but know people who cant get past the admin screen!

Shopclicks · Jan 8, 2024

antropy said:
This is one reason why people shouldn't use WordPress

So, your expert opinion is that 63% of the world's websites should change CMS? What vulnerabilities have you personally found with WP?

antropy said:
The other is that other platforms are so much easier to use and modify.

Based on the fact that your own developers struggle with Wordpress? I think that says more about skills than it does about Wordpress.

fisicx · Jan 8, 2024

antropy said:
This is one reason why people shouldn't use WordPress - whether this is genuine or not, vulnerabilities are so common.

So because a scammer sends you an email you shouldn’t use Wordpress?

By the same logic I shouldn’t use windows, Netflix, most banks, PayPal, Amazon and the HMRC.

KM-Tiger · Jan 8, 2024

fisicx said:
By the same logic I shouldn’t use windows, Netflix, most banks, PayPal, Amazon and the HMRC.

You left out Horizon.

WildAsTheWind · Jan 8, 2024

Paul Kelly ICHYB said:
Unusually, I have received 2 emails from WP re a vunerability, as follows:

----------------------

Dear user
The WordPress Security Team has found a critical vulnerability on the website: xxx

The Remote Code Execution (RCE) vulnerability found on your site is classified as a high-risk threat, potentially enabling malicious code execution and putting your data, user details, and overall site security at risk.

We urge you to apply the CVE-2024-46188 Patch immediately, as we are working on fixing this crucial security concern in the upcoming WordPress version.

Simply download the plugin by clicking the button below, install and activate it on your site. This establishes rapid and easy-going defense against potential exploits and malicious actions related with this vulnerability.

--------

I have only received one email, but thankfully the scam seems to have been running a few days, so I was able to find 'scam alerts' like this one online.

I received the following email, for my WooCommerce site, (Wild As The Wind Natural Skincare & Essential Oils UK).

The email contains an embedded link to my website, and the format is convincing.

Thankfully, I didn’t click the tab provided.

I'm adding my experience in the hope of helping others. (I received a scam email from my hosting company last week, demanding money. I can only wonder at how effective these scams are!?!)
--------------

Dear user

The WordPress Security Team has detected a critical vulnerability on the website: [the embedded link was here, but isn't permitted on this forum]

The Remote Code Execution (RCE) vulnerability detected on your site is categorized as a high-risk threat, potentially enabling malicious code execution and putting your data, user details, and overall site security at risk.

We urge you to apply the CVE-2024-46188 Patch immediately, while we are working on fixing this important security concern in the upcoming WordPress update.

Simply download the plugin by clicking the button below, install and activate it on your site. This establishes quick and seamless protection against potential exploits and malicious actions related to this vulnerability.

ctrlbrk · Jan 8, 2024

WildAsTheWind said:
I can only wonder at how effective these scams are!?!

Hi @WildAsTheWind, welcome.

As for scam effectiveness, it is a numbers' game.

In WordPress' case its market share means that, out of millions of sites, you are bound to find people who fall for it.

That's what scammers bet on.

antropy · Jan 8, 2024

Shopclicks said:
So, your expert opinion is that 63% of the world's websites should change CMS?

Correct.

Shopclicks said:
What vulnerabilities have you personally found with WP?

Seen plenty of hacks.

Shopclicks said:
Based on the fact that your own developers struggle with Wordpress? I think that says more about skills than it does about Wordpress.

For the record, they're absolutely off the scale talented developers, but they know poor code when they see it, as do I.

Paul.

Paul Kelly ICHYB · Jan 8, 2024

Guys, we're skidding off topic now!

fisicx · Jan 8, 2024

Paul Kelly ICHYB said:
Guys, we're skidding off topic now!

Happens on all WP threads. Haters love to hate.

antropy · Jan 8, 2024

fisicx said:
Happens on all WP threads. Haters love to hate.

The topic is literally about WP vulnerabilities.

What's going off topic is @Shopclicks insulting my developers.

Paul.

fisicx · Jan 8, 2024

antropy said:
The topic is literally about WP vulnerabilities.

No it’s not! It’s about a phishing email suggesting there is a vulnerability when no such vulnerability exists. What the scammers want you to do is install their plugin so they can hack your site/server/network.

Please read the opening post again.

antropy · Jan 8, 2024

fisicx said:
No it’s not! It’s about a phishing email suggesting there is a vulnerability when no such vulnerability exists.

So it's not about WP vulnerabilities, it's about an email about WP vulnerabilities.

Glad you clarified between those totally different topics

Paul.

fisicx · Jan 8, 2024

antropy said:
So it's not about WP vulnerabilities, it's about an email about WP vulnerabilities.

No, it’s an email claiming there is vulnerability. No such vulnerability exists.

It’s a phishing exercise just like the plethora of similar phishing emails.

They probably don’t exist for opencart because the user base is too small.

antropy · Jan 8, 2024

fisicx said:
No, it’s an email claiming there is vulnerability. No such vulnerability exists.

But it's believable because there are so many genuine WP vulnerabilities.

fisicx said:
They probably don’t exist for opencart because the user base is too small.

Or because genuine security holes are rarer than hens' teeth!

Paul.

DontAsk · Jan 8, 2024

antropy said:
But it's believable because there are so many genuine WP vulnerabilities.

Only to those who don't really know what they are doing ,and shouldn't be running a WP site in the first place.

ctrlbrk · Jan 8, 2024

DontAsk said:
Only to those who don't really know what they are doing ,and shouldn't be running a WP site in the first place.

This is true and yet, likely the very reason WP is so widespread is because it is so user-friendly that many people who are not IT-literate take the plunge and adopt it.

Not defending non-IT-literate users, just making a consideration.

fisicx · Jan 8, 2024

antropy said:
But it's believable because there are so many genuine WP vulnerabilities.

Most of the vulnerabilities are with unsecured themes and plugins sold outside the wp repository.

Even OpenCart has a bunch of published CVEs

ecommerce84 · Jan 8, 2024

If everyone moved from Wordpress to a different platform, the scammers would just start targeting those platforms instead - if that platform doesn’t easily allow for phony plugins to be installed, they’ll ask for passwords instead or claim to be from ‘tech support’ as ‘your website has a virus’.

And every platform has one major potential security flaw - the person running and maintaining the website. If a person is likely to find a phishing email convincing and follows the instructions in the e-mail, they are likely to get hacked, the platform they are on doesn’t matter.

Even users of the biggest, most secure websites such as PayPal, banks, Amazon etc get scammed regularly.

antropy · Jan 9, 2024

ecommerce84 said:
If everyone moved from Wordpress to a different platform, the scammers would just start targeting those platforms instead

You're right, WordPress is a victim of its own success. Scammers target the most popular.

Paul.

Small Business Ltd · Jan 17, 2024

Time to change the email address your getting the spam / phishing emails from?

If I host a Wordpress platform, I put Wordfence on it (Free version on most of my sites, unless the client is happy to pay for the full version. Free is 30 days delay for most new threats) and use multiple (.co.uk) email addresses. My email addresses are not real mailboxes and are Forwarders to one real unpublished mailbox and if compromised (I start receiving phishing emails), I update the email Forwader address to a different one.

I only update Plugins on the Wordpress platforms I provide, when I log into the site direct and see that the update is requried. Wordfence (Central - also free) also allows me to monitor updates on multiple sites and decide if it’s an urgent update or not.

A little complicated for some, but it works very well for me.

Cookie Consent

Essential

Analytics

Marketing

Wordress Vunerability