A vulnerability discovered last year in the defunct OneTone WordPress theme plugin is now being exploited by hackers to compromise entire sites while installing backdoor admin accounts.
The attacks were noticed earlier this month by security company Sucuri, and are believed to be ongoing.
If successful, hijacking this session in turn allows them to create a backdoor admin account as well as set up additional PHP backdoors through the WordPress dashboard for added persistence. Luke Leal from Sucuri said:
Unfortunately, because the plugin seems to have stopped being updated in early 2018, and the company behind it hasn’t replied to Sucuri’s contacts, it seems reasonable to assume it will never be patched beyond its current version 1.1.1.
A company called NinTechNet first reported the flaw to WordPress.org last September, where it is now listed with a warning about its status for the 10,000 sites believed to still be using it.
The vulnerabilities that make compromise possible are now identified as CVE-2019-17230 and CVE-2019-17231.
The issue of vulnerable plugins is now a perennial issue for WordPress sites which is why the platform’s maintainers recently started testing a tool to manage this process automatically.
The problem with OneTone, of course, is that no update appears likely to arrive. If the OneTone plugin is installed on your site, the best advice is simply to uninstall it as soon as you can.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.