We’ve seen a recent spike in fake emails which try to appear as if they’ve come from the WordPress security team. Generally, they have an email subject similar to:

IMPORTANT: Vulnerability found – Your website <websitename> is at risk!


These emails are fake.

One of the more recent emails tries to say there’s a critical vulnerability, with text similar to or containing:

The Remote Code Execution (RCE) vulnerability identified on your site is classified as a critical threat, potentially allowing malicious code execution and putting your data, user details, and overall site security at risk.

We urge you to apply the CVE-2024-46188 Patch as soon as possible, while we are working on mitigitating this crucial security flaw in the next WordPress version.

wordpress vulnerability found email (fake)

These emails have NOT originated from the WordPress Team and are designed to get you to download a malicious plugin. Simply delete this email.

This scam has been circulating for a while and has previously listed fake vulnerabilities such as CVE-2023-45124. The emails are originating from domains such as mailserver-wordpress.org and help-wordpress.org.

For more detailed analysis, PatchStack and Wordfence have reviewed the contents of the malicious plugin to show what it would do to your WordPress site if installed.


WordPress will never ask you to download files nor login to any area of their system in relation to a security issue.

For further guidance, WordPress have an alert also out in regards to these scams: https://wordpress.org/news/2023/12/alert-wordpress-security-team-impersonation-scams/

Was this article helpful?

Related Articles