{"id":3807,"date":"2024-01-05T18:23:34","date_gmt":"2024-01-05T18:23:34","guid":{"rendered":"https:\/\/jamez.it\/blog\/?p=3807"},"modified":"2024-01-08T18:18:08","modified_gmt":"2024-01-08T18:18:08","slug":"phishing-malware-attack-wordpress-patch-cve-2024-46188","status":"publish","type":"post","link":"https:\/\/jamez.it\/blog\/2024\/01\/05\/phishing-malware-attack-wordpress-patch-cve-2024-46188\/","title":{"rendered":"Phishing\/Malware attack (&#8220;WordPress Patch CVE-2024-46188&#8221;)"},"content":{"rendered":"\n<p>I&#8217;ve received this email:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"653\" height=\"604\" src=\"https:\/\/jamez.it\/blog\/wp-content\/uploads\/2024\/01\/image-1.png\" alt=\"\" class=\"wp-image-3810\" srcset=\"https:\/\/jamez.it\/blog\/wp-content\/uploads\/2024\/01\/image-1.png 653w, https:\/\/jamez.it\/blog\/wp-content\/uploads\/2024\/01\/image-1-300x277.png 300w\" sizes=\"(max-width: 653px) 100vw, 653px\" \/><\/figure>\n\n\n\n<p>If you follow the link to phishing URL https:\/\/us.en-wordpress.org\/plugins\/cve-2024-46188\/, download the file, and analyze the code, you immediately realize that this plugin is malicious and does the following:<\/p>\n\n\n\n<ul>\n<li>it creates an admin user, where the username is a function of the website URL on which the plugin is installed, and the password is deterministic (E5rLDmno9F), although obtained by shuffling a string;<\/li>\n\n\n\n<li>it makes that user unsearchable from the WP interface;<\/li>\n\n\n\n<li>it makes the plugin unsearchable from the WP interface;<\/li>\n\n\n\n<li>it pings home (https:\/\/defcve.com\/wpapi?siteurl=, again some shuffling happens to hide this) to let the scammers know when someone &#8220;bites&#8221;;<\/li>\n\n\n\n<li>it downloads <a href=\"https:\/\/github.com\/cr1f\/P.A.S.-Fork\/tree\/main\" data-type=\"link\" data-id=\"https:\/\/github.com\/cr1f\/P.A.S.-Fork\/tree\/main\" target=\"_blank\" rel=\"noreferrer noopener\">P.A.S. fork<\/a> from home and saves it to disk.<\/li>\n<\/ul>\n\n\n\n<p>Pretending to be the Red Cross to perform a sneak attack is one of the vilest things a human being can do. Stay safe, kids, always be paranoid and never trust a famous logo.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve received this email: If you follow the link to phishing URL https:\/\/us.en-wordpress.org\/plugins\/cve-2024-46188\/, download the file, and analyze the code, you immediately realize that this plugin is malicious and does the following: Pretending to be the Red Cross to perform a sneak attack is one of the vilest things a human being can do. Stay &#8230;<\/p>\n<p><a class=\"understrap-read-more-link button button-black\" href=\"https:\/\/jamez.it\/blog\/2024\/01\/05\/phishing-malware-attack-wordpress-patch-cve-2024-46188\/\">Continue Reading &rarr;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[78,118,117,19,44],"_links":{"self":[{"href":"https:\/\/jamez.it\/blog\/wp-json\/wp\/v2\/posts\/3807"}],"collection":[{"href":"https:\/\/jamez.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jamez.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jamez.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jamez.it\/blog\/wp-json\/wp\/v2\/comments?post=3807"}],"version-history":[{"count":2,"href":"https:\/\/jamez.it\/blog\/wp-json\/wp\/v2\/posts\/3807\/revisions"}],"predecessor-version":[{"id":3811,"href":"https:\/\/jamez.it\/blog\/wp-json\/wp\/v2\/posts\/3807\/revisions\/3811"}],"wp:attachment":[{"href":"https:\/\/jamez.it\/blog\/wp-json\/wp\/v2\/media?parent=3807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jamez.it\/blog\/wp-json\/wp\/v2\/categories?post=3807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jamez.it\/blog\/wp-json\/wp\/v2\/tags?post=3807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}