-keyword-wp-content Plugins Wp-catcher Index.php

Attackers often target forgotten plugins. If you’re not using it, delete it – don’t just deactivate.

The attacker exploited a vulnerability in the plugin (version 5.0, known for LFI). The injection created the wp-catcher plugin, then used the -KEYWORD- string to execute commands. The attacker downloaded the database, defaced the homepage, and sent spam. -KEYWORD-wp-content plugins wp-catcher index.php

appears to be a search dork or a specific file path associated with WordPress plugin vulnerabilities Attackers often target forgotten plugins

The presence of the string -KEYWORD-wp-content plugins wp-catcher index.php in your logs or database indicates that an attacker has attempted to create or access a malicious file. Here are the most common infection vectors: The injection created the wp-catcher plugin, then used

We extracted a sample of a real-world wp-catcher/index.php file to understand its behavior. Here is a redacted snippet: