1.6 Million WordPress Sites Under Cyberattack From Over 16,000 IP Addresses

December 16, 2021

Introduction

There is a large-scale attack campaign against WordPress websites by exploiting bugs of plugins and themes. As per the report by WordPress security company Wordfence, as many as 1.6 million WordPress sites are being targeted by an active attack originating from 16,000 IP addresses.

In most attacks, it updates the “users_can_register” option to enabled and sets the “default_role” option to ‘administrator‘. So, an attacker can now register on the website as an administrator and take over the website.

These attacks are exploiting vulnerabilities in four plugins and 15 Epsilon Framework themes. Here’s the list of plugins and themes that are being exploited by the attack.

The impacted Plugins

Kiwi Social Share (<= 2.0.10)
WordPress Automatic (<= 3.53.2)
Pinterest Automatic (<= 4.14.3)
PublishPress Capabilities (<= 2.3)

Some of these plugins have been updated to fix the issues but several websites are still using old versions.

The impacted Epsilon Framework themes

Activello (<=1.4.1)
Affluent (<1.1.0)
Allegiant (<=1.2.5)
Antreas (<=1.0.6)
Bonkers (<=1.0.5)
Brilliance (<=1.2.9)
Illdy (<=2.1.6)
MedZone Lite (<=1.2.5)
NatureMag Lite (no known patch available)
NewsMag (<=2.4.1)
Newspaper X (<=1.3.1)
Pixova Lite (<=2.0.6)
Regina Lite (<=2.0.5)
Shapely (<=1.2.8)
Transcend (<=1.1.9)

WordFence claims that it saw a spike in attacks after December 8. Wordfence claims to have blocked more than 13.7m attacks so far. Researchers say the plugins are affected by “Unauthenticated Arbitrary Options update” vulnerabilities, reports Computing.

The top three offending IPs include:

144.91.111.6 with 430,067 attacks blocked
185.9.156.158 with 277,111 attacks blocked
195.2.76.246 with 274,574 attacks blocked

Remediation:

To check if your website has been compromised by these attacks, review the user accounts on the site to determine if there are any new unauthorized user accounts. If you are using any of the vulnerable versions of the plugin or theme, update it or remote it.

Review the site’s settings at “http://examplesite [.]com/wp-admin/options-general.php” and make sure the Membership setting and ‘New User Default Role’ are properly set.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

1.6 Million WordPress Sites Under Cyberattack From Over 16,000 IP Addresses

Security Team

Related Posts

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity

Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign

Our Offices

Corporate Office (HO):

UK Office:

Registered Office (Delhi):

Noida Office:

Phone:

Email

Click To Download

Download CyberSRC Services & Portfolio & Datasheets

Download Case Studies

Download Company Brochure