Security researchers have discovered evidence that suggests that two recently patched vulnerabilities in a popular Wordpress themes (opens in new tab) package are being actively exploited.
Analysts at Wordfence, who develop security solutions including plugins (opens in new tab) to protect the popular content management system (opens in new tab) (CMS), believe that over 100,000 unpatched installations of the themes are in the crosshairs of hackers.
“We are seeing these vulnerabilities being actively exploited in the wild, and we urge users to update to the latest versions available immediately since they contain a patch for these vulnerabilities,” appeal the researchers as they share evidence of exploitation (opens in new tab).
- These are the best web hosting (opens in new tab) services
- We've built a list of the best VPS hosting (opens in new tab) providers right now
- And here are the best cloud hosting providers (opens in new tab)
Active campaign
Wordfence believes the threat actors have chained together the two vulnerabilities to find a way to upload arbitrary files on the vulnerable WordPress hosts (opens in new tab).
After analysing the intrusion vector, the researchers note that the hackers are using the Unauthenticated Option Update vulnerability to first update an option in the associated database on the website. Once successful, they then use the Unauthenticated Arbitrary File Upload vulnerability to upload malicious PHP files.
One of the files (signup.php) is placed in the webroot of compromised websites and is thought to be a backdoor that will help infect more sites. A small subset of the infected sites also have another file (client.php) that appears to be used for injecting spam.
The researchers have found evidence of these malicious PHP payloads on over 1900 websites. They’ll share more details soon as they continue to study the ongoing campaign.
- We've also featured the best cloud management software (opens in new tab)