, Widespread Scans Underway for RCE Bugs in WordPress Websites

WordPress websites using buggy Epsilon Framework themes are being hunted by hackers.

Millions of malicious scans are rolling across the internet, looking for known vulnerabilities in the Epsilon Framework for building WordPress themes, according to researchers.

According to the Wordfence Threat Intelligence team, more than 7.5 million probes targeting these vulnerabilities have been observed, against more than 1.5 million WordPress sites, just since Tuesday.

Epsilon serves as the foundation for multiple third-party WordPress themes. Multiple recently patched security bugs in the framework could be chained together to allow remote code-execution (RCE) and site takeovers, researchers said.

, Widespread Scans Underway for RCE Bugs in WordPress Websites

Through code reuse, multiple themes have vulnerable versions in circulation, including Shapely, NewsMag, Activello and 12 others, detailed in the firm’s Tuesday blog post.

“The security flaws on WordPress websites in themes using the Epsilon Framework are just another example of this content management system’s inherent security risks,” said Ameet Naik, security evangelist at PerimeterX, via email. “Shadow Code introduced via third-party plugins and frameworks vastly expands the attack surface for websites. Website owners need to be vigilant about third-party plugins and framework and stay on top of security updates.”

The issues in question are function-injection bugs, affecting around 150,000 sites in total, Wordfence estimated.

“So far today, we have seen a surge of [attacks] coming from over 18,000 IP addresses,” according to the posting. “While we occasionally see attacks targeting a large number of sites, most of them target older vulnerabilities. This wave of attacks is targeting vulnerabilities that have only been patched in the last few months.”

The attacks are essentially probing attacks, which are using POST requests to admin-ajax.php and as such do not leave distinct log entries, according to Wordfence (though they will be visible in Wordfence Live Traffic). So far, thankfully, an RCE chain has yet to materialize, but that doesn’t mean those attacks aren’t coming.

“For the time being, the vast majority of these attacks appear to be probing attacks, designed to determine whether a site has a vulnerable theme installed rather than to perform an exploit chain,” researchers said. “We are not providing additional detail on the attacks at this time, as the exploit does not yet appear to be in a mature state and a large number of IP addresses are in use.”

Website owners should update all themes to the latest versions.

“WordPress powers as much as a third of all websites on the internet, including some of the most highly trafficked sites and a large percentage of e-commerce sites, so WordPress security should be of top concern to organizations,” said Jayant Shukla, CTO and co-founder of K2 Cyber Security, via email. “This latest attack, on a recently patched injection vulnerability on WordPress sites using Epsilon Framework themes, is looking for sites that have neglected to install the latest updates. As we know from past research, as many as 60 percent of successful attacks are on vulnerabilities that already have a patch to prevent its exploit. Organizations need to take the security of their WordPress sites more seriously, starting with keeping the plugins and software up-to-date and patched.”