Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers.
So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses, Wordfence QA engineer and threat analyst Ram Gall said.
Scanning for vulnerable sites
The ongoing large-scale wave of attacks against potentially vulnerable WordPress websites is targeting recently patched vulnerabilities.
While the security flaws found during the last few months in themes using the Epsilon Framework could allow for site takeover through an exploit chain ending in remote code execution (RCE), most of these ongoing attacks are designed to only probe for vulnerabilities.
We are not providing additional detail on the attacks at this time, as the exploit does not yet appear to be in a mature state and a large number of IP addresses are in use, Gall added.
These attacks use POST requests to admin-ajax.php and as such do not leave distinct log entries, though they will be visible in Wordfence Live Traffic.