Script exploited in WordPress theme, bypasses security, sends spam

By
Script exploited in WordPress theme, bypasses security, sends spam

Hackers, flying beneath the radar, have been using script that's part of a WordPress theme to send spam.

During what was called a routine cleanup investigation, researchers at Sucuri found that hackers were exploiting a PHP script in a premium WordPress theme to send spam.

“While many themes include email functionality, this particular one was troublesome because the script was written without any security checks or direct access prevention,” Sucuri Remediation Team Lead Rodrigo Escobar wrote in a blog. “Without the proper security functions in place, this script can easily be exploited to abuse features and send mass email spam.”

The script, which uses data from POST parameters to send email and is designed to work within the theme, can stand alone as well, “bypassing all security checks in other theme files,” Escobar said. He added that the issue had been exploited by attackers “for quite a while” and were able “to send as many emails as they would like, only limited by the server's configurations.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

iOS 12 hands-on: 6 things we love (and 3 we don’t) about Apple’s latest OS

iOS 12 hands-on: 6 things we love (and 3 we don’t) about Apple’s latest OS

Sony celebrates 500m PlayStations sold with translucent PS4 Pro

Sony celebrates 500m PlayStations sold with translucent PS4 Pro

Is a Nintendo Switch Virtual Console coming as Nintendo bans retro ROM resources?

Is a Nintendo Switch Virtual Console coming as Nintendo bans retro ROM resources?

Apple AirPods 2: Wireless charging case revealed in iOS 12 beta images

Apple AirPods 2: Wireless charging case revealed in iOS 12 beta images