detected a large-scale attack to WordPress sites. Attackers are actively looking for resources that use themes with the Epsilon Framework, which may be vulnerable to a number of problems such as function injection, which can eventually lead to a complete compromise of the resource.
According to the company, unknown hackers have already made about 7,500,000 attacks on more than 1,500,000 sites, trying to find potentially vulnerable resources. These attacks are reported to originate from 18,000 different IP addresses.
While vulnerabilities in themes using the Epsilon Framework can lead to a complete takeover of a site, and the exploit chain ends up with remote arbitrary code execution (RCE), the current attacks are just “feeding the soil.”
“At this time, we are not providing additional details about these attacks, due to the fact that the exploit used [by the hackers] is still in development and due to the use of a large number of IP addresses. These attacks use POST requests to admin-ajax.php and do not leave separate entries in the logs, although they are visible in Wordfence Live Traffic,” Wordfence engineers write.
Lots of WordPress themes using Epsilon Framework are vulnerable to these attacks. The researchers provide the following list of themes and versions:
Activello (1.4.0); Illdy (2.1.4); Allegiant (1.2.2);
Newspaper X (1.3. one);
Pixova Lite (2.0.5); Brilliance (1.2.7);
MedZone Lite (1.2.4); Regina Lite (2.0.4); Transcend (1.1.8) ;
Bonkers (1.0.4); Antreas (1.0 .2);
NatureMag Lite (1.0.5).
Owners and administrators of sites running vulnerable versions of the listed themes are advised to immediately update them to a fixed version, if one is available. If there is no patch, you should switch to another theme as soon as possible.