Spam emails about WordPress vulnerabilities


Fake emails about "high-risk vulnerabilities" in WordPress contain links that you should not click. As always, caution is your best defence against phishing attacks.

WordPress Hosting

Today a customer did the right thing and forwarded a strange email to us to check whether it was genuine. It was not, and thanks to their they avoided an attempted phishing attack.

The email was made to look as if it was sent by WordPress, saying that a security risk (an so-called "Remote Code Execution (RCE) high-risk vulnerability") required a new patch, CVE-2024-41688. The "Download" link leads to a fake website which harvests user information.

If you have received an email with these details, ignore it and block the sender:

Sender: or
Subject: CRITICAL: Your website <> is at risk!
Recommended WordPress patch: CVE-2024-46188 (which is a fake code - this patch does not exist)

More about WordPress impersonation scams

There have been a number of similar spam emails sent to WordPress users. WordPress's own security team has published an article about them. For more information and advice, see Alert: WordPress Security Team Impersonation Scams.

Hosting and Domains

Welcome to MyHost

Expert Advice

If you have any questions about running WordPress securely and quickly, get in touch.

Contact us

Real words from real MyHost customers

Trustpilot reviewer
Attila F
Trustpilot reviewer
Paul Bennett
Trustpilot reviewer