Skip to content
Vulnity Vulnity Docs

WordPress Core Update/Downgrade

Alert ID: core_update MITRE ATT&CK: T1072 – Software Deployment Tools

Severity / Criticality

Section titled “Severity / Criticality”
LevelCondition
InfoNormal WordPress core update
HighVersion downgrade detected, highly suspicious

Why is it considered malicious?

Section titled “Why is it considered malicious?”
  • Downgrades reintroduce already patched vulnerabilities.
  • Modified versions may contain backdoors or trojanized code.
  • Fake updates may install altered versions for malicious purposes.
  • After-hours or unauthorized changes are indicators of manipulation.

!!! danger "" In production, downgrades are never normal practice and always require review.

When does the alert trigger?

Section titled “When does the alert trigger?”
  • Manual update: _core_updated_successfully hook.
  • Automatic update: automatic_updates_complete hook.
  • Downgrade detected: through version_compare() when the new version is lower.
  • Version analysis: comparison between old_version and new_version.

Technical Indicators (IOCs)

Section titled “Technical Indicators (IOCs)”
TypePattern / ExampleDescription
file_patternwp-includes/version.phpModified file containing the core version
file_patternwp-admin/includes/update.phpAltered update-system hooks
behaviorBeta or RC versions in productionUse of unstable versions
behaviorMajor downgrade (>2 versions)Significant system regression

Common false positives

Section titled “Common false positives”
  • Legitimate automatic updates.
  • Planned rollbacks due to temporary incompatibility.
  • Testing in development or staging environments.

!!! warning "" In production, any detected downgrade should be investigated immediately.

Investigation steps

Section titled “Investigation steps”

  1. Verify core integrity:

    Terminal window
    wp core verify-checksums --skip-plugins --skip-themes

  2. Check the currently installed version:

    Terminal window
    wp core version --extra

  3. Analyze context: confirm whether the update or rollback was authorized and by whom.

  4. If downgraded, identify the reason, review modified files, and confirm integrity.

Section titled “Recommended mitigations”

=== “Immediate”

!!! danger ""
    - Urgently investigate any detected downgrade.
    - Verify checksums for all core files.
    - Compare the installation with a clean original version.
    - Review logs and remove suspicious or modified files.

=== “Preventive”

!!! tip ""
    Restrict automatic updates to minor versions:


    ```php
    define('WP_AUTO_UPDATE_CORE', 'minor');
    ```


    - Document and control all system updates.
    - Test changes in staging first.
    - Create backups before every update.
    - Implement continuous file-integrity monitoring.

References

Section titled “References”
  • WordPress Update Services
  • Core Checksums Verification