According to Wordfence, a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework is in progress. Epsilon is estimated to be installed on over over 150,000 sites.
“So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses,” Wordfence QA engineer and threat analyst Ram Gall revealed to bleepingcomputer.com.
This wave of attacks is targeting vulnerabilities that have only been patched in the last few months.
The following versions of the following themes are vulnerable to these attacks:
Shapely <=1.2.7
NewsMag <=2.4.1
Activello <=1.4.0
Illdy <=2.1.4
Allegiant <=1.2.2
Newspaper X <=1.3.1
Pixova Lite <=2.0.5
Brilliance <=1.2.7
MedZone Lite <=1.2.4
Regina Lite <=2.0.4
Transcend <=1.1.8
Affluent <1.1.0
Bonkers <=1.0.4
Antreas <=1.0.2
NatureMag Lite <=1.0.5
For the time being, the vast majority of these attacks appear to be probing attacks, designed to determine whether a site has a vulnerable theme installed rather than to perform an exploit chain, though full Remote Code Execution(RCE) leading to site takeover is possible with these vulnerabilities. Even though all Wordfence users are protected, we strongly recommend updating as soon as possible. We are not providing additional detail on the attacks at this time, as the exploit does not yet appear to be in a mature state and a large number of IP addresses are in use. These attacks use POST requests to admin-ajax.php and as such do not leave distinct log entries.
If your website is running one of these themes, it is critical to update to a patched version if one is available. If no patched version is available you will want to temporarily switch to another theme