Sucuri cybersecurity says a theme in WordPress called OneTone has actively been exploited by hackers. The theme makers, Magee WP have not responded to any reports made by researchers nor the bug-finder. Thus, there’s no patch released from them, keeping over 16,000 sites at risk now. The vulnerability is a cross-site scripting bug that allows a hacker to plant malicious code in the target’s site and create a backdoor for later access.
16,000 Still At Risk
OneTone is a fairly popular theme selected by at least 20,000 WordPress users, recorded before reporting about the vulnerability. After informing about this bug, at least 4,000 users have migrated to other themes, leaving another 16,000 users still at risk. This vulnerability was an XSS (cross-site scripting bug) first discovered by Jerome Bruandet from NinTechNet.
He reported this to the theme’s maker and the WordPress team in September last year. But there’s no response from Magee WP (maker of OneTone) since then, and haven’t released any patch since 2018! This led WordPress to delist the theme from its library in October last year.
Starting this month, attackers are found exploiting the vulnerability for admin access, as reported by Sucuri, a cybersecurity firm. Attackers are placing their malicious code in OneTone’s settings, which loads on every page when the site is loaded. Here, OneTone checking the settings before loading any page is also a loophole.
Upon successful implantation of code, attackers perform two functions as redirecting the traffic and setting a backdoor. In former, some of the website visitors are diverted to a traffic distribution system hosted in ischeck[.]xyz. And the latter is just making a backdoor to grant the attacker admin-level access.
The code is intelligent enough to detect only the admins and avoid general users while setting the backdoor. As the dashboard toolbar shows for admins when visited the page, the code detects and loads behinds a secret process to add backdoor in two processes. This is either by adding another admin account (on the name as a system) or creating a cookie level file on the server-side. These will save access to the sites even if the code was removed later.