Sites locked and strange email

Aussie · November 15, 2025, 3:11pm

I received an email from my 3 CP websites:

Howdy!

ClassicPress has a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email.

In this case, ClassicPress caught an error with one of your plugins, Enriched Editor.

First, visit your website (https://mysite.com/) and check for any visible issues. Next, visit the page where the error was caught (https://mysite.com/wp-login.php) and check for any visible issues.

Please contact your host for assistance with investigating this issue further.

If your site appears broken and you can’t access your dashboard normally, WordPress now has a special “recovery mode”. This lets you safely login to your dashboard and investigate further.

https://mysite.com/wp-login.php?action=enter_recovery_mode&rm_token=atQbZMTyWnRfHPSkdpHDZ4&rm_key=AJZNk6iQnZii1C4v1fYphZ

To keep your site safe, this link will expire in 1 day. Don’t worry about that, though: a new link will be emailed to you if the error occurs again after it expires.

When seeking help with this issue, you may be asked for some of the following information:
ClassicPress version 6.2.6
Active theme: Child (version 1.0)
Current plugin: Enriched Editor (version 1.2.5)
PHP version 8.3.21

Each email referred to a different plugin. Upon going to each site, I indeed got a critical error message on both the front and back ends.

I dumped all the files, folders and database tables and did a full restore to CP 2.4.1 via cPanel and the sites worked fine again.

I have one WP installation on the same server and it was not affected. It uses the same hardening plugins as my CP sites.

Is that email really sent from CP?
Is CP 2.5 vulnerable?

I have never had this happen before and is a bit concerning.

ElisabettaCarrara · November 15, 2025, 3:51pm

what seems strange to me is that enriched editor error was caught on login page where it should not be loaded at al since it should load only when using CP classic editor since it’s a plugin adding features to it.

I did not receive such notices however for my CP sites, so I don’t know if it’s normal or not,

Guido07111975 · November 15, 2025, 7:53pm

@Simone is the author of the Enriched Editor plugin, maybe he has an idea what’s happening here..

timkaye · November 15, 2025, 9:31pm

@Aussie wrote:

Is CP 2.5 vulnerable?

Whatever is going on here, that message is not about security.

Aussie · November 16, 2025, 5:20am

Each of the three emails called out a different plugin. They seemed to have been picked at random.

Aussie · November 16, 2025, 5:24am

I realize it doesn’t specify a security issue as such. However, each site seems to have been hacked.

That’s why I was asking if CP actually sends out these emails and whether v2.5 possibly has a security hole that v2.4.1 doesn’t?

ElisabettaCarrara · November 16, 2025, 6:40am

CP (and WP) do send such emails BUT when they do you also have a critical error message in place of the site that warns you to look to the email for details. HOWEVER those seem really an hack.

Aussie · November 16, 2025, 7:41am

Yes, there was a critical error message with the details, but I did not include it in my original post.

There didn’t seem any point, because the plugins they picked for each site do not normally cause errors.

Interesting that you say the email was probably genuine. That just leaves me with wondering how the sites were hacked.

I guess I was just unlucky and doing a dump and restore was not a major problem.

The sites have not been hacked again, so hopefully they will just move on and leave me alone.

fwolf · November 16, 2025, 8:28am

most of the time its a plugin. If I was you I’d check if there is any CVE or other known vulnerability in one or more of them installed, and then either get it updated OR replaced by something less bug-ridden.

cu, w0lf.

ElisabettaCarrara · November 16, 2025, 8:55am

I did not say the specific email were genuine. I said that generally CP has the ability to send such emails BUT what is in them usually makes sense. what I noticed instead is that it targets enriched editor (plugin that only runs when on the editor page for post/pages etc) on a page where it should not be loaded that is login.php - this does not make any sense at all. So me thinks that something corrupted your installation (a theme/plugin vulnerability is the most frequent culprit in that case) and that something then started to send spam mails like that one mimicking the CP normal behavior. OR probably CP was corrupted and went berserk after the corruption.

Guido07111975 · November 16, 2025, 10:08am

Are the three emails related to the same site, or three different sites? If they are related to three different sites, maybe an update on those sites failed.

Aussie · November 16, 2025, 10:29am

The emails were for three different sites. No updates had been done.

Since the WP installation uses the same three plugins and was not affected, it seems strange.

I will continue to monitor the sites and upgrade one to CP 2.5

If one or more fails again, I’ll look into it more thoroughly. For now, I’ll just write it up as a one-off hiccup or hack.