www.wordfence.com
Open in
urlscan Pro
18.154.41.120
Public Scan
Submitted URL: https://click.email.sans.org/?qs=be5ef610fe16c719cc0ba8b7aba28a13bac24a105885a83aa6aad4a7fdd7946afe0c813a0281003edeea93ccdae3...
Effective URL: https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/?is=e3832f108acb1d173b1c8560e6e...
Submission: On June 09 via api from IE — Scanned from DE
Effective URL: https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/?is=e3832f108acb1d173b1c8560e6e...
Submission: On June 09 via api from IE — Scanned from DE
Form analysis 2 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4354010/7e580360-6f66-4d96-a898-0bd11eec900a
<form id="hsForm_7e580360-6f66-4d96-a898-0bd11eec900a" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4354010/7e580360-6f66-4d96-a898-0bd11eec900a"
class="hs-form-private hsForm_7e580360-6f66-4d96-a898-0bd11eec900a hs-form-7e580360-6f66-4d96-a898-0bd11eec900a hs-form-7e580360-6f66-4d96-a898-0bd11eec900a_c5e1d672-a682-4c9b-b728-e0856934fe6d light hs-form"
target="target_iframe_7e580360-6f66-4d96-a898-0bd11eec900a" data-instance-id="c5e1d672-a682-4c9b-b728-e0856934fe6d" data-form-id="7e580360-6f66-4d96-a898-0bd11eec900a" data-portal-id="4354010">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-7e580360-6f66-4d96-a898-0bd11eec900a" class="" placeholder="Enter your Email" for="email-7e580360-6f66-4d96-a898-0bd11eec900a"><span>Email</span><span
class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-7e580360-6f66-4d96-a898-0bd11eec900a" name="email" required="" placeholder="you@example.com" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_tou_pp_agreement hs-tou_pp_agreement hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="tou_pp_agreement-7e580360-6f66-4d96-a898-0bd11eec900a" class="hs-form-booleancheckbox-display"><input id="tou_pp_agreement-7e580360-6f66-4d96-a898-0bd11eec900a" class="hs-input" type="checkbox"
name="tou_pp_agreement" value="true"><span>By checking this box I agree to the <a href="https://www.wordfence.com/terms-of-service/" target="_blank" rel="noopener">terms of service</a> and
<a href="https://www.wordfence.com/privacy-policy/" target="_blank" rel="noopener">privacy policy</a>.<span class="hs-form-required">*</span></span></label></li>
</ul>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="button button-small button-blue" value="Sign Up"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1686307352742","formDefinitionUpdatedAt":"1643745746261","lang":"en","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.106 Safari/537.36","pageTitle":"Large-Scale Attacks Target Epsilon Framework Themes","pageUrl":"https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/?is=e3832f108acb1d173b1c8560e6e5008bac06549549c3ce6073d40f2abb06fe29","urlParams":{"is":"e3832f108acb1d173b1c8560e6e5008bac06549549c3ce6073d40f2abb06fe29"},"isHubSpotCmsGeneratedPage":false,"formTarget":"#hubspot-form-0","locale":"en","timestamp":1686307352903,"originalEmbedContext":{"portalId":"4354010","formId":"7e580360-6f66-4d96-a898-0bd11eec900a","region":"na1","target":"#hubspot-form-0","isBuilder":false,"isTestPage":false,"isPreview":false,"css":"","cssClass":"light","submitButtonClass":"button button-small button-blue","translations":{"en":{"submitText":"Sign Up"}},"locale":"en","isMobileResponsive":true},"correlationId":"c5e1d672-a682-4c9b-b728-e0856934fe6d","renderedFieldsIds":["email","tou_pp_agreement"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3300","sourceName":"forms-embed","sourceVersion":"1.3300","sourceVersionMajor":"1","sourceVersionMinor":"3300","_debug_allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1686307352889,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Large-Scale Attacks Target Epsilon Framework Themes\",\"pageUrl\":\"https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/?is=e3832f108acb1d173b1c8560e6e5008bac06549549c3ce6073d40f2abb06fe29\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.106 Safari/537.36\",\"urlParams\":{\"is\":\"e3832f108acb1d173b1c8560e6e5008bac06549549c3ce6073d40f2abb06fe29\"},\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1686307352890,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""}]}"><iframe
name="target_iframe_7e580360-6f66-4d96-a898-0bd11eec900a" style="display: none;"></iframe>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4354010/7e580360-6f66-4d96-a898-0bd11eec900a
<form id="hsForm_7e580360-6f66-4d96-a898-0bd11eec900a" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4354010/7e580360-6f66-4d96-a898-0bd11eec900a"
class="hs-form-private hsForm_7e580360-6f66-4d96-a898-0bd11eec900a hs-form-7e580360-6f66-4d96-a898-0bd11eec900a hs-form-7e580360-6f66-4d96-a898-0bd11eec900a_6001cc38-dde0-404b-bd3f-55a6b3c16d3a dark hs-form"
target="target_iframe_7e580360-6f66-4d96-a898-0bd11eec900a" data-instance-id="6001cc38-dde0-404b-bd3f-55a6b3c16d3a" data-form-id="7e580360-6f66-4d96-a898-0bd11eec900a" data-portal-id="4354010">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-7e580360-6f66-4d96-a898-0bd11eec900a" class="" placeholder="Enter your Email" for="email-7e580360-6f66-4d96-a898-0bd11eec900a"><span>Email</span><span
class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-7e580360-6f66-4d96-a898-0bd11eec900a" name="email" required="" placeholder="you@example.com" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_tou_pp_agreement hs-tou_pp_agreement hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="tou_pp_agreement-7e580360-6f66-4d96-a898-0bd11eec900a" class="hs-form-booleancheckbox-display"><input id="tou_pp_agreement-7e580360-6f66-4d96-a898-0bd11eec900a" class="hs-input" type="checkbox"
name="tou_pp_agreement" value="true"><span>By checking this box I agree to the <a href="https://www.wordfence.com/terms-of-service/" target="_blank" rel="noopener">terms of service</a> and
<a href="https://www.wordfence.com/privacy-policy/" target="_blank" rel="noopener">privacy policy</a>.<span class="hs-form-required">*</span></span></label></li>
</ul>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="button button-small button-white" value="Sign Up"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1686307352737","formDefinitionUpdatedAt":"1643745746261","lang":"en","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.106 Safari/537.36","pageTitle":"Large-Scale Attacks Target Epsilon Framework Themes","pageUrl":"https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/?is=e3832f108acb1d173b1c8560e6e5008bac06549549c3ce6073d40f2abb06fe29","urlParams":{"is":"e3832f108acb1d173b1c8560e6e5008bac06549549c3ce6073d40f2abb06fe29"},"isHubSpotCmsGeneratedPage":false,"formTarget":"#hubspot-form-1","locale":"en","timestamp":1686307352883,"originalEmbedContext":{"portalId":"4354010","formId":"7e580360-6f66-4d96-a898-0bd11eec900a","region":"na1","target":"#hubspot-form-1","isBuilder":false,"isTestPage":false,"isPreview":false,"css":"","cssClass":"dark","submitButtonClass":"button button-small button-white","translations":{"en":{"submitText":"Sign Up"}},"locale":"en","isMobileResponsive":true},"correlationId":"6001cc38-dde0-404b-bd3f-55a6b3c16d3a","renderedFieldsIds":["email","tou_pp_agreement"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3300","sourceName":"forms-embed","sourceVersion":"1.3300","sourceVersionMajor":"1","sourceVersionMinor":"3300","_debug_allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1686307352869,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Large-Scale Attacks Target Epsilon Framework Themes\",\"pageUrl\":\"https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/?is=e3832f108acb1d173b1c8560e6e5008bac06549549c3ce6073d40f2abb06fe29\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.106 Safari/537.36\",\"urlParams\":{\"is\":\"e3832f108acb1d173b1c8560e6e5008bac06549549c3ce6073d40f2abb06fe29\"},\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1686307352871,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""}]}"><iframe
name="target_iframe_7e580360-6f66-4d96-a898-0bd11eec900a" style="display: none;"></iframe>
</form>Text Content
Have you been hacked? Get Help
Create Account
Sign In
* Products
* Our Products
* Wordfence Free
* Wordfence Premium
* Wordfence Care
* Wordfence Response
* Wordfence Intelligence
* Wordfence Intelligence Enterprise
* Wordfence Central
* Compare Plans
* Intelligence
* Dashboard
* Vulnerabilities
* Researchers
* Plugins
* Themes
* WordPress Core
* API Access
* Enterprise Feeds
* Submit Vulnerability
* Support
* Documentation
* Learning Center
* Free Support
* Premium Support
* News
* Blog
* In The News
* WP Security Mailing List
* Vulnerability Advisories
* About
* About Wordfence
* Careers
* Security
* CVE Request Form
* Contact
* Privacy Policy
* Terms of Service
* View Pricing
*
* Products
* Wordfence Free
* Wordfence Premium
* Wordfence Care
* Wordfence Response
* Wordfence Intelligence
* Wordfence Intelligence Enterprise
* Wordfence Central
* Compare Plans
* --------------------------------------------------------------------------------
* Intelligence
* Dashboard
* Vulnerabilities
* Researchers
* Plugins
* Themes
* WordPress Core
* API Access
* Enterprise Feeds
* Submit Vulnerability
* --------------------------------------------------------------------------------
* Support
* Documentation
* Learning Center
* Free Support
* Premium Support
* --------------------------------------------------------------------------------
* News
* Blog
* In The News
* WP Security Mailing List
* Vulnerability Advisories
* --------------------------------------------------------------------------------
* About
* About Wordfence
* Careers
* Security
* CVE Request Form
* Contact
* Privacy Policy
* Terms of Service
Ram Gall
November 17, 2020
LARGE-SCALE ATTACKS TARGET EPSILON FRAMEWORK THEMES
On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of
attacks against recently reported Function Injection vulnerabilities in themes
using the Epsilon Framework, which we estimate are installed on over 150,000
sites. So far today, we have seen a surge of more than 7.5 million attacks
against more than 1.5 million sites targeting these vulnerabilities, coming from
over 18,000 IP addresses. While we occasionally see attacks targeting a large
number of sites, most of them target older vulnerabilities.
This wave of attacks is targeting vulnerabilities that have only been patched in
the last few months. All Wordfence users are protected against these attacks,
including Wordfence Premium customers and sites still running the free version
of Wordfence.
VULNERABLE THEMES
The following versions of the following themes are vulnerable to these attacks:
Shapely <=1.2.7
NewsMag <=2.4.1
Activello <=1.4.0
Illdy <=2.1.4
Allegiant <=1.2.2
Newspaper X <=1.3.1
Pixova Lite <=2.0.5
Brilliance <=1.2.7
MedZone Lite <=1.2.4
Regina Lite <=2.0.4
Transcend <=1.1.8
Affluent <1.1.0
Bonkers <=1.0.4
Antreas <=1.0.2
NatureMag Lite <=1.0.5
PROBING ATTACKS – FOR NOW
For the time being, the vast majority of these attacks appear to be probing
attacks, designed to determine whether a site has a vulnerable theme installed
rather than to perform an exploit chain, though full Remote Code Execution(RCE)
leading to site takeover is possible with these vulnerabilities. Even though all
Wordfence users are protected, we strongly recommend updating as soon as
possible. We are not providing additional detail on the attacks at this time, as
the exploit does not yet appear to be in a mature state and a large number of IP
addresses are in use. These attacks use POST requests to admin-ajax.php and as
such do not leave distinct log entries, though they will be visible in Wordfence
Live Traffic.
WHAT SHOULD I DO?
If your website is running one of these themes, it is critical to update to a
patched version if one is available. If no patched version is available you will
want to temporarily switch to another theme or use a firewall like Wordfence,
either Premium or free, that blocks these attacks. If you have made
customizations to these themes without the use of a child theme, you will want
to download a backup copy of the current version before updating. If anyone you
know is running any of these themes, please share this article to ensure they
update their site as well.
Did you enjoy this post? Share it!
Facebook Twitter LinkedIn
COMMENTS
6 Comments
* Gary
November 17, 2020
2:41 pm
I’m just going to say it... “I love you guys!!”. Thanks for everything... I
sincerely appreciate it!
* Matthew Gonzales
November 17, 2020
5:27 pm
I can't say enough about your product. I apologize for not having the funds
at the moment to purchase your premium version, but I am sold! I will
purchase on my next payday and thank you for the updates and reports. If
you're free version is this incredible I am really excited to actually pay
for a product now! Thank you!
* simon
November 17, 2020
8:01 pm
yes my one site was hacked thanks god i have wordfence premium on my main
money site
* Sixtus Seelenmeyer
November 17, 2020
11:56 pm
Thanks for all - good job - in always strange times ...
* posicionArte
November 18, 2020
1:17 pm
Thanks for advisor,
Gracias por el aviso en realidad antes de tener wordfence fui hackeado y hoy
implemento Wordfence en todos mis sitios y su eficacia ha sido increible.
Ademas se hizo visible la cantidad de ataques recibidos cada dia.
Yo soy un diseñador y administrador de sitios web asi que se de lo que les
estoy hablando
por eso y por mas, thanks, muchas gracias.
* sibersonik
November 23, 2020
8:54 am
great warning.. good job..thanks
BREAKING WORDPRESS SECURITY RESEARCH IN YOUR INBOX AS IT HAPPENS.
Email*
* By checking this box I agree to the terms of service and privacy policy.*
Our business hours are 9am-8pm ET, 6am-5pm PT and 2pm-1am UTC/GMT excluding
weekends and holidays.
Response customers receive 24-hour support, 365 days a year, with a 1-hour
response time.
* Terms of Service
* Privacy Policy and Notice at Collection
*
*
*
*
Products
* Wordfence Free
* Wordfence Premium
* Wordfence Care
* Wordfence Response
* Wordfence Intelligence
* Wordfence Intelligence Enterprise
* Wordfence Central
Support
* Documentation
* Learning Center
* Free Support
* Premium Support
News
* Blog
* In The News
* Vulnerability Advisories
About
* About Wordfence
* Careers
* Contact
* Security
* CVE Request Form
Stay Updated
Sign up for news and updates from our panel of experienced security
professionals.
Email*
* By checking this box I agree to the terms of service and privacy policy.*
© 2012-2023 Defiant Inc. All Rights Reserved
This site uses cookies in accordance with our Privacy Policy.
More Information Accept All
COOKIE OPTIONS
For additional information on how this site uses cookies, please review our
Privacy Policy. The cookies used by this site are classified into the following
categories and can be configured below.
STRICTLY NECESSARY
These Cookies are necessary for the Sites and Services to work properly. They
include any essential authentication and authorization cookies for the Services.
* Cookies of this category are necessary for the site to function and cannot be
disabled.
PERFORMANCE/ANALYTICAL
These Cookies allow us to collect certain information about how you navigate the
Sites or utilize the Services running on your device. They help us understand
which areas you use and what we can do to improve them.
TARGETING
These Cookies are used to deliver relevant information related to the Services
to an identified machine or other device (not a named or otherwise identifiable
person) which has previously been used to visit our Sites. Some of these types
of Cookies on our Sites are operated by third parties with our permission and
are used to identify advertising sources that are effectively driving customers
to our Sites.
Cancel Save