Attackers are probing WordPress sites en masse to identify eCommerce sites which may be using unpatched software.
On November 17th, 2020, the Wordfence Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in WordPress themes using the Epsilon Framework, which is estimated to be installed on over 150,000 sites. While the team occasionally see attacks targeting a large number of sites, most of them target older vulnerabilities, however this wave of attacks is targeting vulnerabilities that have only been patched in the last few months.
If you do not have a process in place to ensure that all relevant security patches are reviewed and deployed within one month of release, you are leaving yourself open to compromise. As noted in the Epsilon Framework attack, you can not rely upon attackers concentrating on older vulnerabilities and need to be ever vigilant.
In addition to putting your store at risk of a data compromise, using unpatched applications puts you in breach of your PCI DSS compliance obligations, namely requirement 6.2 "Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release"
If you require any advice or guidance with the security and compliance of your eCommerce web store, please contact 3B Data Security.
The ongoing large-scale wave of attacks against potentially vulnerable WordPress websites is targeting recently patched vulnerabilities