WordPress Theme Mailing Script being exploited in the wild

A few weeks ago, we posted a lab notes describing a good theme file being exploited by attackers to send mass-mailing SPAM (http://labs.sucuri.net/?note=2016/08/15 0:00). Upon further investigation, we identified that attackers have been exploiting this issue for quite awhile and apparently under the radar.

The lack of security checks in that particular file allows the attackers to send as many emails as they would like to, depending on server’s configurations/limitations. To make matters worse, the code had been implemented throughout different themes developed by the same company.

The issue is located within the file ‘functions/theme-mail.php’ and can be found in older versions of the following premium themes:

bretheon, doover, fingerprints, kora, lawcenter_two,mfl, pindol, tisson, almet, caffeine, nollie, limuso

The consequences of using those old versions vary – from having your website suspended by the hosting company, or getting the mail server blacklisted.

We didn’t have access to all versions of those themes to determine when a patch had been applied, but if you identify the same snippet as we have in the labs sucuri notes, we highly recommend adding the following code after your opening php tags to prevent direct access to the file and further exploitation:

if ( basename($_SERVER['PHP_SELF']) == basename(__FILE__) ){die('Access Denied');}

If you’re a customer on the Sucuri Firewall you are already patched via our virtual patching engine.