OneTone, which has a large number of users in Japan, has a vulnerability that rewrites the database without requiring authentication, and many sites have suffered from redirection hacks.
Vulnerability in OneTone to rewrite database without authentication
This vulnerability is very dangerous because it has been left uncorrected by the official site. A hacker could easily remotely hack into a site where the OneTone theme is installed and rewrite the database contents to embed Javascript code into the site, including a redirect hack.
The discovered vulnerabilities of the OneTone theme are as follows
wp-content/themes/onetone/includes/theme-functions.php
function onetone_options_import(){
$option_name = onetone_option_name();
if(isset($_POST['options'])){
$options = stripslashes($_POST['options']);
$new_options = json_decode($options, true);
if(is_array($new_options) && $new_options ! = NULL ){
update_option($option_name,$new_options);
_e( 'Import successful.', 'onetone');
exit(0); }
}
}
_e( 'Import failed.', 'onetone');
exit(0); }
}
Even though this code is executed with AJAX, $_POST[‘options’] is not escaped, so the database can be written remotely.
How to address the OneTone vulnerability
1 Please remove the OneTone theme and the OneTone Comapnion plugin and use another theme.
2 It is possible to manually patch the vulnerabilities for the time being. (This is not recommended as there may be other vulnerabilities.)
function onetone_options_import(){
exit(0);//add this line
$option_name = onetone_option_name();
.....
It is also possible to patch the vulnerability in wp-content/themes/onetone/includes/theme-functions.php to plug the vulnerability in the above manner. (Please note that you will not be able to change theme options thereafter.)
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
