According to researchers, millions of malicious scans are rolling across the internet. Seeking known vulnerabilities in the Epsilon Framework for building WordPress themes.
More than 7.5 million probes targeting these vulnerabilities have been noted. Against more than 1.5 million WordPress sites, just since Tuesday. According to the Wordfence Threat Intelligence team.
Epsilon serves as the foundation for multiple WordPress themes from third parties. To allow remote code execution (RCE) and site takeovers, several recently patched security bugs in the framework could be chained together, researchers said.
Through code reuse, multiple themes have vulnerable versions in circulation, including Shapely, NewsMag, Activello and 12 others, detailed in the company’s Tuesday blog post.
“The security flaws in the themes using the Epsilon Framework on WordPress websites are just another example of the inherent security risks of this content management system,” said Ameet Naik, PerimeterX’s security evangelist, via email. Shadow Code, introduced through third-party plugins and frameworks, significantly expands the website attack surface. Website owners need to be vigilant about plugins and structures from third parties and stay on top of security updates.
Function-injection bugs, affecting around 150,000 sites in total, are the problems in question, Wordfence estimated.
“We have seen a surge of attacks coming from more than 18,000 IP addresses so far today,” according to the posting. Although we sometimes see attacks targeting a wide range of sites, most of them target older vulnerabilities. This wave of attacks is aimed at vulnerabilities that have only been fixed in recent months.
Attacks are essentially investigating
The attacks are essentially investigating attacks that use admin-ajax.php POST requests. And according to Wordfence, do not leave separate log entries as such (although they will be visible in Wordfence Live Traffic). Luckily, so far the RCE chain has yet to materialise. But that doesn’t mean that these attacks are not coming.
The vast majority of these attacks appear to be investigating attacks for the time being. And designed to determine whether a site has a vulnerable theme installed instead of an exploit chain, researchers said. “At this time, we are not providing additional details on the attacks. As the exploit does not appear to be in a mature state yet and a large number of IP addresses are in use.”
Owners of the website should update all themes to the most recent versions.
Moreover, Jayant Shukla, CTO and co-founder of K2 Cyber Security. Said via email, “WordPress powers as much as a third of all websites on the internet. Including some of the most highly trafficked sites and a large percentage of e-commerce sites. So WordPress security should be of top concern to organisations”. This latest attack, using Epsilon Framework themes on a recently patched injection vulnerability on WordPress sites, is looking for sites that have failed to install the latest updates. As we know from previous research. Up to 60% of successful attacks are on vulnerabilities that already have a patch to prevent their exploitation. Organizations need to take the security of their WordPress sites more seriously, beginning with maintaining up-to-date and patched plugins and software.
You may also like: