Large-scale campaign targets vulnerable Epsilon Framework WordPress themes

Hackers are scanning the Internet for WordPress websites with Epsilon Framework themes installed to launch Function Injection attacks.

Experts at the Wordfence Threat Intelligence team uncovered a large-scale wave of attacks targeting reported Function Injection vulnerabilities in themes using the Epsilon Framework.

Below a list of themes and related versions that are vulnerable to the above attacks:

Shapely <=1.2.7
NewsMag <=2.4.1
Activello <=1.4.0
Illdy <=2.1.4
Allegiant <=1.2.2
Newspaper X <=1.3.1
Pixova Lite <=2.0.5
Brilliance <=1.2.7
MedZone Lite <=1.2.4
Regina Lite <=2.0.4
Transcend <=1.1.8
Affluent <1.1.0
Bonkers <=1.0.4
Antreas <=1.0.2
NatureMag Lite <=1.0.5

According to the experts, the vulnerable themes are installed on over 150,000 sites.

“On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites.” reads the analysis published by WordFence. “So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses. While we occasionally see attacks targeting a large number of sites, most of them target older vulnerabilities.”

The vulnerabilities targeted by the threat actors could allow them to takeover WordPress installs through an exploit chain ending in remote code execution (RCE). The researcher did not provide technical details on the attacks because the exploit does not yet appear to be in a mature state.

The researchers pointed out the vast majority of these attacks appear to be probing attacks aimed at determining whether a site is running a vulnerable theme.

“These attacks use POST requests to admin-ajax.php and as such do not leave distinct log entries, though they will be visible in Wordfence Live Traffic.” continues the report.

Admins of websites running vulnerable versions of the themes are recommended to update them. If no security patch is available for the installed theme, admins should switch to another theme.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.