Home

Description

The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.

PUBLISHED Reserved 2026-06-19 | Published 2026-07-10 | Updated 2026-07-10 | Assigner WPScan

Problem types

CWE-912 Hidden Functionality

Product status

Default status
unknown

Any version
affected

Credits

Mike Gozdiskowski finder

WPScan coordinator

References

wpscan.com/...rability/0e5f5730-167d-4853-a764-bb9e3d62fdc4/ exploit vdb-entry technical-description

cve.org (CVE-2026-12685)

nvd.nist.gov (CVE-2026-12685)

Download JSON