There is a dangerous phishing email circulating that targets WordPress users. It asks you to download and install a plugin to your WordPress website to protect you against what is a fake vulnerability.
If you receive an email with the subject line “Immediate Action Needed: Vulnerability Found – Your website is at risk!” claiming to be from the WordPress Security Team, please be advised that it is a scam email and it has not come from the WordPress security team. Please do not click on the link in the email, don’t download the plugin, and absolutely do not install it on your website.
Here’s the full text of the email and a screenshot of how it looks:
Subject: Immediate Action Needed: Vulnerability found – Your website is at risk!
Dear user
A critical vulnerability on the site: [yourdomainname], has been identified by the WordPress Security Team.The identified Remote Code Execution (RCE) critical vulnerability on your site could result to the execution of malicious code, jeopardizing your privacy, user information, and overall site security.
We strongly recommend you to apply the CVE-2024-46188 Patch as soon as possible, as we are constantly working to fix this crucial security threat in the next WordPress update.
Click the button below to download the plugin, and then proceed to install and activate it on your site. This assures a speedy and seamless protection against potential exploits and malicious actions related with this vulnerability.
This phishing attempt aims to get you to download and install what is a malicious plugin to your WordPress website. That plugin would then put malware onto your website. This is a relatively new technique, but I’ve already had several clients reach out to me as they’d received the email and were right to be suspicious.
Most of my clients wouldn’t add a plugin to their site, but for the small percentage who are actively adding plugins, please only download them from reputable sources and the official WordPress plugin repository. If in doubt, please always contact me to make sure. I know it’s getting trickier each day to know who to trust, and the scam email I’m referring to was a particularly good fake.
As always, it pays to be super vigilant and suspicious.