Hackers target WordPress sites running OneTone theme

News
By published

Disable this outdated WordPress theme now or risk losing control of your site

(Image credit: Pixabay)

Hackers have begun to actively target WordPress sites running the OneTone theme in an effort to exploit a vulnerability that gives them the ability to read and write cookies as well as create backdoor admin accounts.

The vulnerability being exploited in the ongoing campaign is a cross-site scripting (XSS) bug in the OneTone WordPress theme created by the developer Magee WP which has not been updated since 2018.

The XSS vulnerability, which allows an attacker to inject malicious code into the the theme's settings, was first discovered by NinTechNet's Jerome Bruandet back in September of last year. Bruandet informed Magee WP as well as the WordPress team about the bug at the time, though the developer did not release a patch for the issue despite the warning.

This led the WordPress team to remove the listing for the free version of the theme from the official WordPress repository in October of last year. However, at the time of writing, just under 16,000 WordPress users still have the theme on their sites.

OneTone vulnerability

According to a new report from the cybersecurity firm Sucuri, hackers began actively exploiting the bug in OneTone earlier this month.

Malware researcher at the firm, Luke Leak explained that hackers are using the XSS bug to insert malicious code inside of OneTone theme's settings. As the theme checks these settings before loading any page, the malicious code is executed on every page of a vulnerable site.

The code itself serves two functions as it redirects some of a vulnerable site's users to a traffic distribution system hosted at ischeck.xyz while a second function enables the creation of backdoors. The malicious code even has the ability to recognize site admins as it looks for the presence of the WordPress admin toolbar at the top of a page.

Once a user with admin-level privileges is detected, the code then adds an admin account to a site's WordPress dashboard (under the user name system) or creates an admin account-level cookie file on the server-side named Tho3faeK. These two backdoors grant an attacker access to the site even if their malicious XSS code is removed from OneTone's settings or the vulnerability ends up being patched.

However, it looks like a patch to fix the OneTone vulnerability won't be coming any time soon as Magee WP has not updated the theme since 2018. Therefore, WordPress users still running the theme should disable it to avoid falling victim to this latest hacking campaign. 

Via ZDNet

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock
More about security
Data Breach

Thousands of healthcare records exposed online, including private patient information
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.

AI agents can be hijacked to write and send phishing attacks
Autonomous finance

Quickbooks vs Quicken: what are the main strengths and weaknesses for your business
See more latest
Most Popular
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Nokia 5G 360 Camera
This is the world's first 8K 5G 360 degrees camera - and it is also weatherproof
AI writer
Coding AI tells developer to write it himself
Data Breach
Thousands of healthcare records exposed online, including private patient information
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
Google Messages update
Google Messages could soon follow WhatsApp with an upgrade that makes it much easier to join group chats
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Nvidia RTX 6000
Details of Nvidia's fastest video card ever leak; RTX Pro 6000 Blackwell GPU will have 96GB GDDR7 ECC memory
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks