Themes Vulnerabilities
EscortWP <= 3.6.2 - Content Deletion via Vendor-Authored Backdoor
Description
The EscortWP theme was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.
This is intentional, vendor-shipped malicious code rather than an accidental vulnerability: the payload is hidden behind several layers of obfuscation (base64 + gzuncompress + eval) inside the theme and disguised as a legacy mobile/license check.
Indicators of compromise (affecting versions up to and including 3.6.2):
- Malicious file: functions-mobile-detect.php, carrying an obfuscated payload labelled as "legacy code for old devices".
- Unauthenticated AJAX action ajax_check_mobile_detect_legacy, registered for both authenticated and unauthenticated users; submitting the build's hard-coded key permanently force-deletes every post of every post type.
- Outbound beacon to https://escortwp.com/check-license/ on admin page loads, transmitting the site URL, administrator email address, and license key (the response is discarded).
- An option name abused to masquerade as WordPress core and throttle the beacon to roughly every three days: _site_transient_update_time_core.
Because the same per-build key both authorizes the content deletion and is exfiltrated by the beacon, the theme author receives a working content-deletion key for every site running the theme. Each per-customer build embeds a unique key; some nulled or modified copies may have the backdoor removed.