Hackers have started actively targeting WordPress sites running the OneTone theme in an attempt to exploit a vulnerability that offers them the ability to read and write cookies and create backdoor administration accounts.
The vulnerability exploited in the current campaign is a cross-site scripting (XSS) bug in the OneTone WordPress theme created by the developer Magee WP that has not been updated since 2018.
The XSS vulnerability, which allows an attacker to enter malicious code into the theme settings, was first discovered by NinTechNet Jerome Bruandet in September last year. Bruandet informed Magee WP and the WordPress team of the bug at the time, although the developer did not release a patch for the problem despite the warning.
This led the WordPress team to remove the list for the free version of the theme from the official WordPress repository in October last year. However, at the time of writing, just below 16,000 WordPress users they still have the theme on their sites.
According to new relationship From cyber security firm Sucuri, hackers started actively exploiting the bug in OneTone earlier this month.
Luke Leak, a malware researcher at the company, explained that hackers use the XSS bug to insert malicious code into the OneTone theme settings. Since the theme checks these settings before loading any page, malicious code is executed on every page of a vulnerable site.
The code itself performs two functions in that it redirects some of the users of a site vulnerable to a traffic distribution system hosted on ischeck.xyz while a second function allows the creation of backdoors. Malicious code also has the ability to recognize site administrators as it looks for the presence of the WordPress admin toolbar at the top of a page.
Once a user with administrator-level privileges is detected, the code then adds an administrator account to a site’s WordPress dashboard (under the username system) or creates a server-level administrator-level cookie file on the server side named Tho3faeK. These two backdoors allow an attacker to access the site even if their malicious XSS code is removed from the OneTone settings or the vulnerability ends up being fixed.
However, it appears that a patch to fix the OneTone vulnerability won’t come soon as Magee WP hasn’t updated the theme since 2018. Therefore, WordPress users who are still running the theme should disable it to avoid falling victim to this latest hacking campaign.