Flaw in defunct WordPress plugin exploited to create backdoor

A vulnerability discovered last year in the defunct OneTone WordPress theme plugin is now being exploited by hackers to compromise entire sites while installing backdoor admin accounts.

The attacks were noticed earlier this month by security company Sucuri, and are believed to be ongoing.

The vulnerability that makes it possible is a cross-site scripting (XSS) flaw that allows attackers to inject malicious JavaScript into the plugin’s settings, redirecting innocent visitors to the attacker’s landing page.

In addition, JavaScript is injected via HTML <script> tags, which allows attackers to detect and hijack authenticated admin sessions.

If successful, hijacking this session in turn allows them to create a backdoor admin account as well as set up additional PHP backdoors through the WordPress dashboard for added persistence. Luke Leal from Sucuri said:

Planting a variety of backdoors ensures the success of the campaign – in the event that the vulnerability is patched or the JavaScript injection is removed, the attackers will still be able to access the compromised environment.

Unfortunately, because the plugin seems to have stopped being updated in early 2018, and the company behind it hasn’t replied to Sucuri’s contacts, it seems reasonable to assume it will never be patched beyond its current version 1.1.1.

A company called NinTechNet first reported the flaw to WordPress.org last September, where it is now listed with a warning about its status for the 10,000 sites believed to still be using it.

The vulnerabilities that make compromise possible are now identified as CVE-2019-17230 and CVE-2019-17231.

The issue of vulnerable plugins is now a perennial issue for WordPress sites which is why the platform’s maintainers recently started testing a tool to manage this process automatically.

The problem with OneTone, of course, is that no update appears likely to arrive. If the OneTone plugin is installed on your site, the best advice is simply to uninstall it as soon as you can.


Latest Naked Security podcast

go top