As of Nov 22, 2020, Unknown threat actors are scanning for WordPress websites with Epsilon Framework based themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers.
“So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses,” Wordfence QA engineer and threat analyst Ram Gall said.
The ongoing large-scale wave of attacks against potentially vulnerable WordPress websites is targeting recently patched vulnerabilities.
While the security flaws found during the last few months in themes using the Epsilon Framework could allow for site takeover through an exploit chain ending in remote code execution (RCE), most of these ongoing attacks are designed to only probe for vulnerabilities.
“We are not providing additional detail on the attacks at this time, as the exploit does not yet appear to be in a mature state and a large number of IP addresses are in use,” Gall added.
“These attacks use POST requests to admin-ajax.php and as such do not leave distinct log entries, though they will be visible in Wordfence Live Traffic.”
Vulnerable theme versions
These versions of targeted Epsilon Framework themes are known to be vulnerable to these attacks:
- Shapely
- NewsMag
- Activello
- Illdy
- Allegiant
- Newspaper X
- Pixova Lite
- Brilliance
- MedZone Lite
- Regina Lite
- Transcend
- Affluent
- Bonkers
- Antreas
- NatureMag Lite
Owners and admins of websites running vulnerable versions of these themes are recommended to immediately update to a patched version if available.
If no patch is currently available, they should switch to another theme as soon as possible to block attack attempts.
Ref: Bleeping Computer