1.6 million WordPress Sites Were Attacked
A Massive Wave of Attacks Originating from 16,000 IPs Was Detected.
WordPress is a free and open-source content management system (CMS) developed in PHP and used in conjunction with a MySQL or MariaDB database.
WordPress started as a blog-publishing system but has now extended to include other types of web content such as more traditional mailing lists and forums, media galleries, membership sites, learning management systems (LMS), and online commerce.
A significant wave of assaults originating from 16,000 IP addresses and targeting over 1.6 million WordPress sites was noticed by the cybersecurity specialists from Wordfence.
Four WordPress plugins and fifteen Epsilon Framework themes are targeted by the threat actors, one of which has no accessible fix.
As reported by BleepingComputer, the affected plugins are PublishPress Capabilities, Kiwi Social Plugin, Pinterest Automatic, and WordPress Automatic.
Amongst the targeted Epsilon Framework themes are, Shapely, NewsMag, Activello, Illdy, Allegiant, Newspaper X, Pixova Lite, Brilliance, MedZone Lite, Regina Lite, Transcend, Affluent, Bonkers, Antreas, NatureMag Lite.
Attackers are targeting 4 individual plugins with Unauthenticated Arbitrary Options Update Vulnerabilities. The four plugins consist of Kiwi Social Share, which has been patched since November 12, 2018, WordPress Automatic and Pinterest Automatic which have been patched since August 23, 2021, and PublishPress Capabilities which was recently patched on December 6, 2021. In addition, they are targeting a Function Injection vulnerability in various Epsilon Framework themes in an attempt to update arbitrary options.
In most cases, the attackers are updating the users_can_register option to enabled and setting the default_role option to `administrator.` This makes it possible for attackers to register on any site as an administrator effectively taking over the site.
Our attack data indicates that there was very little activity from attackers targeting any of these vulnerabilities until December 8, 2021. This leads us to believe that the recently patched vulnerability in PublishPress Capabilities may have sparked attackers to target various Arbitrary Options Update vulnerabilities as part of a massive campaign.
To find out whether your site has already been infiltrated, go through all user accounts and search for any rogue additions that need to be deleted right once.
Visit “http://examplesite[.]com/wp-admin/options-general.php” and go through the Membership and the new user default role settings.
Even if your plugins and themes aren’t on the list above, it’s a good idea to update them as soon as possible. If you’re using NatureMag Lite, which has no fix, you should uninstall it right away.