CVE-2026-12685 PUBLISHED

EscortWP <= 3.6.2 - Content Deletion via Vendor-Authored Backdoor

Assigner: WPScan
Reserved: 19.06.2026 Published: 10.07.2026 Updated: 10.07.2026

The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.

Product Status

Vendor Unknown
Product escortwp
Versions Default: unknown
  • affected from 0 to 3.6.2 (incl.)

Credits

  • Mike Gozdiskowski finder
  • WPScan coordinator

References

Problem Types

  • CWE-912 Hidden Functionality CWE