Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers.
“So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses,” Wordfence QA engineer and threat analyst Ram Gall said.
Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers.
“So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses,” Wordfence QA engineer and threat analyst Ram Gall said.
Scanning for vulnerable sites
The ongoing large-scale wave of attacks against potentially vulnerable WordPress websites is targeting recently patched vulnerabilities.
While the security flaws found during the last few months in themes using the Epsilon Framework could allow for site takeover through an exploit chain ending in remote code execution (RCE), most of these ongoing attacks are designed to only probe for vulnerabilities.
“We are not providing additional detail on the attacks at this time, as the exploit does not yet appear to be in a mature state and a large number of IP addresses are in use,” Gall added.
“These attacks use POST requests to admin-ajax.php and as such do not leave distinct log entries, though they will be visible in Wordfence Live Traffic.”
Vulnerable theme versions
These versions of targeted Epsilon Framework themes are known to be vulnerable to these attacks:
- Shapely
- NewsMag
- Activello
- Illdy
- Allegiant
- Newspaper X
- Pixova Lite
- Brilliance
- MedZone Lite
- Regina Lite
- Transcend
- Affluent
- Bonkers
- Antreas
- NatureMag Lite
Owners and admins of websites running vulnerable versions of these themes are recommended to immediately update to a patched version if available.
If no patch is currently available, they should switch to another theme as soon as possible to block attack attempts.
In May, another massive attack campaign targeted roughly 900,000 WordPress sites within a single week trying to plant backdoors or redirect visitors to malvertising sites.
One month later, another series of attacks attempted to harvest database credentials from approximately 1.3 million WordPress sites by downloading configuration files
To read the original article: