Since the start of the month, hackers are making use of a vulnerability in the OneTone theme that allows hackers to create backdoor admin accounts and read and write site cookies.
The cross-site-scripting (XSS) bug is found in the OneTone theme developed by Magee WP. This is available in both free as well as paid versions.
The bug was discovered by Jerome Bruandet last year in September. He immediately reported the same to the theme author and WordPress team.
Even after reporting the bug, Magee Themes did not release a bug fix for the theme. It was in 2018 that the theme got the last update and ever since there are no updates. As the team did not fix the bug, the Free version of the OneTone theme got removed from the official WordPress repo.
Hackers used the XSS bug to inject malicious codes inside the theme settings of the OneTone theme. The malicious code redirects some users to a traffic distribution system hosted at ischeck dot xyz and the second part creates a backdoor admin account from the admin-side.
The backdoor mechanism only triggers its function when an admin is logged in to the site. The code looks for the Admin toolbar that appears on the top of the screen when an admin of the site is logged into it.
The backdoor script creates an admin-level user access account or creates an admin-account cookies on the server-side.
The OneTone theme developers did not reply to any emails sent by the Sucuri team nor did they release a fix for the issue. More than 20,000 WordPress websites were using the OneTone theme until last week.
Soon after the news came in, the site owner’s started to migrate to different themes. It is still unclear whether they will fix the issue with a patch or not. At least for now, it doesn’t seem that they are going to release a fix either.