Usually in the wallet.dat file, the pubkey(a bitcoin address) and the private key are in pairs. Your point of view seems to be that the website author added a pubkey(a bitcoin address)and a private key that does not match it in the wallet, but successfully cheated the bitcoin core client.
It only "cheated" because the private keys are supposed to be encrypted with a password. Without knowing the password, Bitcoin Core cannot get the private key to check that it matches the public key. Once it does have the password, it can and will check that it matches, and when it sees it does not, it will throw an error. It is impossible for anyone to check that the encrypted private key is correct without knowing the password to decrypt it.
Yes, you are correct, this wallet.dat is encrypted, the Bitcoin core client can not decrypt it, verify that the private key matches the public key, thank you for your answer.