Hackers target WordPress sites running OneTone theme

(Image credit: Pixabay)

Hackers have begun to actively target WordPress sites running the OneTone theme in an effort to exploit a vulnerability that gives them the ability to read and write cookies as well as create backdoor admin accounts.

The vulnerability being exploited in the ongoing campaign is a cross-site scripting (XSS) bug in the OneTone WordPress theme created by the developer Magee WP which has not been updated since 2018.

The XSS vulnerability, which allows an attacker to inject malicious code into the the theme's settings, was first discovered by NinTechNet's Jerome Bruandet back in September of last year. Bruandet informed Magee WP as well as the WordPress team about the bug at the time, though the developer did not release a patch for the issue despite the warning.

This led the WordPress team to remove the listing for the free version of the theme from the official WordPress repository in October of last year. However, at the time of writing, just under 16,000 WordPress users still have the theme on their sites.

OneTone vulnerability

According to a new report from the cybersecurity firm Sucuri, hackers began actively exploiting the bug in OneTone earlier this month.

Malware researcher at the firm, Luke Leak explained that hackers are using the XSS bug to insert malicious code inside of OneTone theme's settings. As the theme checks these settings before loading any page, the malicious code is executed on every page of a vulnerable site.

The code itself serves two functions as it redirects some of a vulnerable site's users to a traffic distribution system hosted at ischeck.xyz while a second function enables the creation of backdoors. The malicious code even has the ability to recognize site admins as it looks for the presence of the WordPress admin toolbar at the top of a page.

Once a user with admin-level privileges is detected, the code then adds an admin account to a site's WordPress dashboard (under the user name system) or creates an admin account-level cookie file on the server-side named Tho3faeK. These two backdoors grant an attacker access to the site even if their malicious XSS code is removed from OneTone's settings or the vulnerability ends up being patched.

However, it looks like a patch to fix the OneTone vulnerability won't be coming any time soon as Magee WP has not updated the theme since 2018. Therefore, WordPress users still running the theme should disable it to avoid falling victim to this latest hacking campaign. 

Via ZDNet

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
Latest in News
Europe
Apple and Meta set to face fines for alleged breaches of EU DMA
Garmin Forerunner 965 on wrist in the dark
New Garmin leak suggests a release is days away, but don't get your hopes up for the Forerunner 975
Xbox Series X
Xbox is reportedly teaming up with a mystery manufacturer to launch a PC gaming handheld this year
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now