Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Large-Scale Attacks Target Epsilon Framework Themes

This entry was posted in Research, Vulnerabilities, WordPress Security on November 17, 2020 by Ram Gall   6 Replies

On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses. While we occasionally see attacks targeting a large number of sites, most of them target older vulnerabilities.

This wave of attacks is targeting vulnerabilities that have only been patched in the last few months. All Wordfence users are protected against these attacks, including Wordfence Premium customers and sites still running the free version of Wordfence.

Vulnerable Themes

The following versions of the following themes are vulnerable to these attacks:

Shapely <=1.2.7
NewsMag <=2.4.1
Activello <=1.4.0
Illdy <=2.1.4
Allegiant <=1.2.2
Newspaper X <=1.3.1
Pixova Lite <=2.0.5
Brilliance <=1.2.7
MedZone Lite <=1.2.4
Regina Lite <=2.0.4
Transcend <=1.1.8
Affluent <1.1.0
Bonkers <=1.0.4
Antreas <=1.0.2
NatureMag Lite <=1.0.5

Probing attacks – For now

For the time being, the vast majority of these attacks appear to be probing attacks, designed to determine whether a site has a vulnerable theme installed rather than to perform an exploit chain, though full Remote Code Execution(RCE) leading to site takeover is possible with these vulnerabilities. Even though all Wordfence users are protected, we strongly recommend updating as soon as possible. We are not providing additional detail on the attacks at this time, as the exploit does not yet appear to be in a mature state and a large number of IP addresses are in use. These attacks use POST requests to admin-ajax.php and as such do not leave distinct log entries, though they will be visible in Wordfence Live Traffic.

What should I do?

If your website is running one of these themes, it is critical to update to a patched version if one is available. If no patched version is available you will want to temporarily switch to another theme or use a firewall like Wordfence, either Premium or free, that blocks these attacks. If you have made customizations to these themes without the use of a child theme, you will want to download a backup copy of the current version before updating. If anyone you know is running any of these themes, please share this article to ensure they update their site as well.

Did you enjoy this post? Share it!

6 Comments on "Large-Scale Attacks Target Epsilon Framework Themes"

Gary November 17, 2020 at 2:41 pm • Reply

I’m just going to say it... “I love you guys!!”. Thanks for everything... I sincerely appreciate it!

Matthew Gonzales November 17, 2020 at 5:27 pm • Reply

I can't say enough about your product. I apologize for not having the funds at the moment to purchase your premium version, but I am sold! I will purchase on my next payday and thank you for the updates and reports. If you're free version is this incredible I am really excited to actually pay for a product now! Thank you!

simon November 17, 2020 at 8:01 pm • Reply

yes my one site was hacked thanks god i have wordfence premium on my main money site

Sixtus Seelenmeyer November 17, 2020 at 11:56 pm • Reply

Thanks for all - good job - in always strange times ...

posicionArte November 18, 2020 at 1:17 pm • Reply

Thanks for advisor,

Gracias por el aviso en realidad antes de tener wordfence fui hackeado y hoy implemento Wordfence en todos mis sitios y su eficacia ha sido increible.
Ademas se hizo visible la cantidad de ataques recibidos cada dia.

Yo soy un diseñador y administrador de sitios web asi que se de lo que les estoy hablando

por eso y por mas, thanks, muchas gracias.

sibersonik November 23, 2020 at 8:54 am • Reply

great warning.. good job..thanks

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates

Leave a Reply

All comments are moderated before being published. Inappropriate or off-topic comments may not be approved.