CVE-2026-12685
Received Received - Intake

EscortWP Theme Backdoor Allows Site Deletion and Data Exfiltration

Vulnerability report for CVE-2026-12685, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: WPScan

Description

The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
escortwp escortwp to 3.6.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The EscortWP WordPress theme, up to version 3.6.2, contains a vendor-authored, obfuscated backdoor. This backdoor allows an unauthenticated attacker to permanently delete all the site's content by supplying a hard-coded, per-build key. The malicious code is hidden using multiple layers of obfuscation and disguised as a legacy mobile/license check.

Additionally, the backdoor covertly transmits sensitive information such as the site URL, administrator email address, and license key to a third-party server. The same hard-coded key used for deleting content is also exfiltrated, enabling the attacker to obtain working deletion keys for all affected sites.

  • Malicious file named functions-mobile-detect.php
  • Unauthenticated AJAX action (ajax_check_mobile_detect_legacy) that triggers content deletion
  • Outbound beacon to https://escortwp.com/check-license/ transmitting sensitive site data
Impact Analysis

This vulnerability can have severe impacts including permanent deletion of all your website's content without any authentication. This means an attacker can completely erase your site data remotely.

Furthermore, sensitive information such as your site URL, administrator email, license key, and the deletion key itself are covertly sent to a third-party server, potentially exposing your site to further attacks or misuse.

Detection Guidance

This vulnerability can be detected by looking for specific indicators of compromise within the EscortWP theme files and monitoring network activity.

  • Check for the presence of a malicious file named functions-mobile-detect.php in the theme directory.
  • Search the theme files for heavily obfuscated code using base64, gzuncompress, and eval functions, especially code disguised as a legacy mobile/license check.
  • Look for an unauthenticated AJAX action named ajax_check_mobile_detect_legacy which can trigger content deletion.
  • Monitor outbound network requests to https://escortwp.com/check-license/ which transmits the site URL, administrator email, and license key.

Suggested commands to detect these indicators include:

  • Find the malicious file: `find /path/to/wordpress/wp-content/themes/escortwp/ -name functions-mobile-detect.php`
  • Search for obfuscated code patterns: `grep -r --include=*.php 'base64_decode' /path/to/wordpress/wp-content/themes/escortwp/`
  • Search for the AJAX action: `grep -r 'ajax_check_mobile_detect_legacy' /path/to/wordpress/wp-content/themes/escortwp/`
  • Monitor outbound connections (example using tcpdump): `tcpdump -i eth0 host escortwp.com and port 443`
Mitigation Strategies

Immediate mitigation steps include removing or replacing the vulnerable EscortWP theme version and preventing the backdoor from executing.

  • Disable or remove the EscortWP theme version 3.6.2 or earlier from your WordPress installation.
  • If possible, replace the theme with a clean, verified version that does not contain the backdoor.
  • Block outbound network requests to https://escortwp.com/check-license/ to prevent data exfiltration.
  • Monitor your site for unauthorized content deletion and restore from backups if necessary.

Note that no official fix is currently available, so removing or replacing the theme and blocking malicious activity are critical.

Compliance Impact

The vulnerability in the EscortWP theme allows an unauthenticated attacker to exfiltrate sensitive site information such as the site URL, administrator email address, and license key to a third-party server. This unauthorized transmission of potentially personal data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access and disclosure.

Additionally, the permanent deletion of all site content by an attacker could result in loss of data integrity and availability, which are critical aspects of compliance with many security standards and regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12685. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart