Support » Fixing WordPress » Possible vulnerability in wp-admin/theme-editor.php

  • Hello,

    Two different websites we’re hosting got hacked, the themes’ functions.php got modified to include javascript redirects.

    The patterns are the same :

    "GET /?cperpage=1 HTTP/1.1" 200 17395 "http://www.yahoo.com" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100107 Fedora/3.5.6-1.fc12 Firefox/3.5.6" 1
    "GET /wp-admin/ HTTP/1.1" 200 62079 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100107 Fedora/3.5.6-1.fc12 Firefox/3.5.6" 1
    "GET /wp-admin/theme-editor.php HTTP/1.1" 200 45236 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100107 Fedora/3.5.6-1.fc12 Firefox/3.5.6" 0
    "GET /wp-admin/theme-editor.php?theme=Boldy HTTP/1.1" 200 45248 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100107 Fedora/3.5.6-1.fc12 Firefox/3.5.6" 0
    "GET /wp-admin/theme-editor.php?file=%2Fthemes%2Fboldy%2Ffunctions.php&theme=Boldy&dir=theme HTTP/1.1" 200 75054 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100107 Fedora/3.5.6-1.fc12 Firefox/3.5.6" 0
    "POST /wp-admin/theme-editor.php HTTP/1.1" 302 468 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100107 Fedora/3.5.6-1.fc12 Firefox/3.5.6" 1
    "GET /wp-admin/theme-editor.php?file=/home/xyz/www/wp-content/themes/boldy/functions.php&theme=Boldy&a=te&scrollto=0 HTTP/1.1" 200 75170 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100107 Fedora/3.5.6-1.fc12 Firefox/3.5.6" 0
    "GET /wp-admin/theme-editor.php?file=%2Fthemes%2Fboldy%2Ffunctions.php&theme=Boldy&dir=theme HTTP/1.1" 200 75051 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100107 Fedora/3.5.6-1.fc12 Firefox/3.5.6" 0

    Does this remind something to someone ?

    What’s strange is that the pirate doesn’t seem to be redirected to the login page, when accessing wp-admin or theme-editor.php.

    Regards

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Possible vulnerability in wp-admin/theme-editor.php’ is closed to new replies.