There’s a large-scale attack campaign against WordPress websites by exploiting bugs of plugins and themes. As per a report by WordPress security company Wordfence, as many as 1.6 million WordPress sites are being targeted by an active attack originating from 16,000 IP addresses.
In most attacks, it updates the users_can_register option to enabled and sets the default_role option to ‘administrator‘. So, an attacker can now register on the website as an administrator and take over the website.
These attacks are exploiting vulnerabilities in four plugins and 15 Epsilon Framework themes. Here’s the list of plugins and themes that are being exploited by the attack.
The impacted Plugins
- Kiwi Social Share (<= 2.0.10)
- WordPress Automatic (<= 3.53.2)
- Pinterest Automatic (<= 4.14.3)
- PublishPress Capabilities (<= 2.3)
Some of these plugins have been updated to fix the issues but several websites are still using old versions.
The impacted Epsilon Framework themes
- Activello (<=1.4.1)
- Affluent (<1.1.0)
- Allegiant (<=1.2.5)
- Antreas (<=1.0.6)
- Bonkers (<=1.0.5)
- Brilliance (<=1.2.9)
- Illdy (<=2.1.6)
- MedZone Lite (<=1.2.5)
- NatureMag Lite (no known patch available)
- NewsMag (<=2.4.1)
- Newspaper X (<=1.3.1)
- Pixova Lite (<=2.0.6)
- Regina Lite (<=2.0.5)
- Shapely (<=1.2.8)
- Transcend (<=1.1.9)
WordFence claims that it saw a spike in attacks after December 8.
To check if your website has been compromised by these attacks, review the user accounts on the site to determine if there’s any new unauthorized user accounts. If you are using any of the vulnerable versions of the plugin or theme, update ir or remote it.
