The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The EscortWP WordPress theme versions through 3.6.2 contained a vendor-authored backdoor deliberately embedded in obfuscated code, representing a critical supply chain compromise. This vulnerability allows unauthenticated attackers with a hard-coded, per-build key to execute two devastating attacks: permanent deletion of all site content and covert exfiltration of sensitive data including site URLs, administrator email addresses, and license keys to attacker-controlled servers. Any WordPress installation using the affected theme versions is at risk, regardless of other security controls, making this a high-impact threat affecting potentially thousands of websites.
Casky's security skills, powered by Claude AI's extended reasoning capabilities, would detect the attack patterns behind this backdoor by analyzing indicators across multiple MITRE ATT&CK techniques including T1190 (Exploit Public-Facing Application), T1033 (System Information Discovery), T1041 (Exfiltration Over C2 Channel), and T1485 (Data Destruction). Practitioners using Casky would identify suspicious outbound connections to unknown third-party servers, unusual data queries targeting administrator credentials and site metadata, obfuscated code execution patterns within theme files, and unexpected deletion operations on core WordPress database tables. The platform's skill mapping would correlate these behavioral indicators to reveal the complete attack chain, enabling practitioners to distinguish legitimate plugin activity from malicious exfiltration and destruction operations, and to rapidly assess their exposure to this supply chain threat.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-12685. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation