Security researchers have discovered evidence that suggests that two recently patched vulnerabilities in a popular WordPress themes package are being actively exploited.
Analysts at Wordfence, who develop security solutions including plugins to protect the popular content management system (CMS), believe that over 100,000 unpatched installations of the themes are in the crosshairs of hackers.
“We are seeing these vulnerabilities being actively exploited in the wild, and we urge users to update to the latest versions available immediately since they contain a patch for these vulnerabilities,” appeal the researchers as they share evidence of exploitation.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Active campaign
Wordfence believes the threat actors have chained together the two vulnerabilities to find a way to upload arbitrary files on the vulnerable WordPress hosts.
After analysing the intrusion vector, the researchers note that the hackers are using the Unauthenticated Option Update vulnerability to first update an option in the associated database on the website. Once successful, they then use the Unauthenticated Arbitrary File Upload vulnerability to upload malicious PHP files.
One of the files (signup.php) is placed in the webroot of compromised websites and is thought to be a backdoor that will help infect more sites. A small subset of the infected sites also have another file (client.php) that appears to be used for injecting spam.
The researchers have found evidence of these malicious PHP payloads on over 1900 websites. They’ll share more details soon as they continue to study the ongoing campaign.