Themes Vulnerabilities

EscortWP <= 3.6.2 - Content Deletion via Vendor-Authored Backdoor

Description

The EscortWP theme was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.

This is intentional, vendor-shipped malicious code rather than an accidental vulnerability: the payload is hidden behind several layers of obfuscation (base64 + gzuncompress + eval) inside the theme and disguised as a legacy mobile/license check.

Indicators of compromise (affecting versions up to and including 3.6.2):
- Malicious file: functions-mobile-detect.php, carrying an obfuscated payload labelled as "legacy code for old devices".
- Unauthenticated AJAX action ajax_check_mobile_detect_legacy, registered for both authenticated and unauthenticated users; submitting the build's hard-coded key permanently force-deletes every post of every post type.
- Outbound beacon to https://escortwp.com/check-license/ on admin page loads, transmitting the site URL, administrator email address, and license key (the response is discarded).
- An option name abused to masquerade as WordPress core and throttle the beacon to roughly every three days: _site_transient_update_time_core.

Because the same per-build key both authorizes the content deletion and is exfiltrated by the beacon, the theme author receives a working content-deletion key for every site running the theme. Each per-customer build embeds a unique key; some nulled or modified copies may have the backdoor removed.

Proof of Concept

Affects Themes

No known fix

References

Miscellaneous

Original Researcher
Mike Gozdiskowski
Submitter
Mike Gozdiskowski
Verified
Yes

Timeline

Publicly Published
2026-06-19 (about 21 days ago)
Added
2026-06-19 (about 20 days ago)
Last Updated
2026-07-09 (about 8 hours ago)

Other