1.6 Million WordPress Sites Under Cyberattack From Over 16,000 IP Addresses

Introduction

There is a large-scale attack campaign against WordPress websites by exploiting bugs of plugins and themes. As per the report by WordPress security company Wordfence, as many as 1.6 million WordPress sites are being targeted by an active attack originating from 16,000 IP addresses.

In most attacks, it updates the “users_can_register” option to enabled and sets the “default_role” option to ‘administrator‘. So, an attacker can now register on the website as an administrator and take over the website.

These attacks are exploiting vulnerabilities in four plugins and 15 Epsilon Framework themes. Here’s the list of plugins and themes that are being exploited by the attack.

The impacted Plugins

  • Kiwi Social Share (<= 2.0.10)
  • WordPress Automatic (<= 3.53.2)
  • Pinterest Automatic (<= 4.14.3)
  • PublishPress Capabilities (<= 2.3)

Some of these plugins have been updated to fix the issues but several websites are still using old versions.

The impacted Epsilon Framework themes

  • Activello (<=1.4.1)
  • Affluent (<1.1.0)
  • Allegiant (<=1.2.5)
  • Antreas (<=1.0.6)
  • Bonkers (<=1.0.5)
  • Brilliance (<=1.2.9)
  • Illdy (<=2.1.6)
  • MedZone Lite (<=1.2.5)
  • NatureMag Lite (no known patch available)
  • NewsMag (<=2.4.1)
  • Newspaper X (<=1.3.1)
  • Pixova Lite (<=2.0.6)
  • Regina Lite (<=2.0.5)
  • Shapely (<=1.2.8)
  • Transcend (<=1.1.9)

WordFence claims that it saw a spike in attacks after December 8. Wordfence claims to have blocked more than 13.7m attacks so far. Researchers say the plugins are affected by “Unauthenticated Arbitrary Options update” vulnerabilities, reports Computing.

The top three offending IPs include:

  • 144.91.111.6 with 430,067 attacks blocked
  • 185.9.156.158 with 277,111 attacks blocked
  • 195.2.76.246 with 274,574 attacks blocked

 

Remediation:

To check if your website has been compromised by these attacks, review the user accounts on the site to determine if there are any new unauthorized user accounts. If you are using any of the vulnerable versions of the plugin or theme, update it or remote it.

Review the site’s settings at “http://examplesite [.]com/wp-admin/options-general.php” and make sure the Membership setting and ‘New User Default Role’ are properly set.