CVE-2026-12685

Unknown · escortwp

The EscortWP WordPress theme contains a vendor-authored, obfuscated backdoor allowing unauthenticated attackers to delete site content and exfiltrate information.

Executive summary

A critical, vendor-inserted backdoor in the EscortWP WordPress theme allows unauthenticated attackers to destroy site data and exfiltrate administrative information.

Vulnerability

This vulnerability (CWE-912) is a deliberate backdoor hidden within the theme's code. It allows an unauthenticated attacker, utilizing a hard-coded, per-build key, to permanently delete site content and covertly transmit sensitive details, including the site URL and administrator email, to an external server.

Business impact

This is a critical threat to business continuity and data integrity. With a CVSS score of 7.5, the ability for an unauthenticated user to destroy the entire content of a website represents a total loss of availability and integrity. Furthermore, the exfiltration of administrator contact information significantly increases the risk of targeted follow-up attacks or phishing campaigns against the organization.

Remediation

Immediate Action: Immediately deactivate and remove the EscortWP theme from all WordPress installations, as no secure patch is currently available.

Proactive Monitoring: Scan for unauthorized file changes or suspicious outbound network traffic originating from the web server. Check logs for unexpected administrative actions or bulk content deletion.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules to block access to suspicious theme-related endpoints and monitor the integrity of the WordPress content directory.

Exploitation status

Public Exploit Available: Yes — per WPScan data, a public proof-of-concept exists for this vulnerability.

Analyst recommendation

Given the malicious nature of the code and the existence of public proof-of-concept information, this theme should be treated as compromised. Organizations must purge the EscortWP theme from their environment immediately and conduct a thorough forensic review of any site that had this theme installed to ensure no unauthorized persistence or data exfiltration has occurred.