Hackers Targeting WordPress Sites Running the OneTone theme to Exploit a Vulnerability


Hackers actively target WordPress sites that operate with OneTone theme to exploit a vulnerability that enables them to read and write site cookies and build backdoor administrative accounts.

Since the beginning of the month, the initiative has been going on and is still ongoing.

A bug in OneTone, a common but now discontinued WordPress theme created by Magee WP, is a cross-site scripting vulnerability and is available in both a free and paid version.

The XSS vulnerability allows an attacker to insert malicious code into the settings of the subject. The bug was found in September last year by NinTechNet’s Jerome Bruandet and confirmed to the thematic writer and WordPress team.

Magee WP has not released any patches for its website since 2018. After Magee failed to patch, a month later in October 2019, the WordPress team delisted the free edition of the theme from the official WordPress repositories.

This bug began to be exploited by attackers earlier this month, according to a GoDaddy-owned cybersecurity company Sucuri research.

Sucuri experts say hackers have inserted malicious code into the OneTone theme settings using an XSS flaw. Since the subject checks these settings before loading a page, the system is activated on any vulnerable website’s page.

Luke Leal of Sucuri says the code has two main functions. One is to redirect some of the incoming users to an ischeck[.]xyz the delivery system, while a second feature establishes backdoor mechanisms.

For most visitors to the web, the backdoor mechanism is inactive. It can only be activated if website managers visit the site.

The malicious code may identify website administrators who access the website from regular users, as it looks for the WordPress toolbar at the head of the page, which only appears for registered admin.

If an admin user is detected, the malicious code inserted in XSS carries out a series of silent automatic operations that use the admin user’s permission, without their knowledge.

Leal says backdoors are generated in two ways – by adding an admin account into the WordPress dashboard or creating an admin account-level cookie file on the server-side.

The role of the two backdoors is to allow the website access for the attacker if the XSS code has been removed from OneTone or the vulnerability of XSS OneTone has been fixed.

Unfortunately, it seems like a remedy will never be available. While informed last year, the company did not respond two weeks ago to a request for a response from Sucuri and did not reply last week to a similar ZDNet email.

There are also ongoing attacks on OneTone pages. Sucuri announced that over 20,000 WordPress pages had an OneTone theme two weeks ago.

Today, the number has fallen to under 16,000, as site owners started to move to other topics due to current hacks.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.