For a couple of months now, a phishing email campaign has been sending emails warning of a vulnerability on WordPress websites and telling people to download a plugin for that. That email has this format:

Dear user

A critical vulnerability on the site: , has been detected by the WordPress Security Team.

The detected Remote Code Execution (RCE) high-risk vulnerability on your site could result to the execution of malicious code, jeopardizing your data, user information, and overall site security.

We strongly recommend you to install the CVE-2024-46188 Patch immediately, as we are continuously working to fix this significant security vulnerability in the next WordPress update.

Click the button below to download the plugin, and then proceed to install and activate it on your site. This guarantees a fast and straightforward defense against potential exploits and malicious actions related with this vulnerability.

Regards
The WordPress Security Team

As we noted when this started, the DNS service for domains being used as part of this was being provided by a security provider, Cloudflare. This was reported to them at the time.

A new round of this is going on, which uses as one of the domains, mailbox-wordpress.org. And the DNS service is once again from Cloudflare. Here are the name servers they were using for that:

evangeline.ns.cloudflare.com

major.ns.cloudflare.com

Those in the WordPress community frequently promote Cloudflare, making their involvement stand out even more than just them being a security provider while providing service to this phishing campaign. As we recently noted again, they are also not doing a lot of what they could to secure WordPress websites using their service.