Hackers are targeting over a million WordPress sites in ongoing attacks
They are exploiting security bugs in four WordPress plugins and 15 Epsilon Framework themes
Researchers at cyber security firm Wordfence say they have detected a massive, ongoing wave of attacks that is originating from over 16,000 different IP addresses and targeting more than 1.6 million WordPress sites.
The Wordfence Threat Intelligence team noticed a huge surge in attacks over the last 36 hours, which exploited security bugs in four WordPress plugins and 15 Epsilon Framework themes - enabling threat actors to update arbitrary options on vulnerable websites.
Wordfence claims to have successfully blocked over 13.7 million attacks so far.
The four individual plugins being targeted in the ongoing attacks are:
- Kiwi Social Share (patched on 12 November2018); vulnerable versions <= 2.0.10
- WordPress Automatic (patched on 23 August 2021); vulnerable versions <= 3.53.2
- Pinterest Automatic (patched on 23 August 2021); vulnerable versions <= 4.14.3
- PublishPress Capabilities (patched on 6 December 2021); vulnerable versions <= 2.3
According to the researchers, these plugins are affected by 'Unauthenticated Arbitrary Options Update' vulnerabilities.
Moreover, hackers are also targeting a 'Function Injection' flaw in 15 Epsilon Framework themes to update arbitrary options.
One of these 15 themes has no patch available at this moment.
The targeted Epsilon Framework themes and vulnerable versions are:
- Activello <=1.4.1
- Allegiant <=1.2.5
- Affluent <1.1.0
- Shapely <=1.2.8
- Antreas <=1.0.6
- NewsMag <=2.4.1
- Illdy <=2.1.6
- Newspaper X <=1.3.1
- MedZone Lite <=1.2.5
- Pixova Lite <=2.0.6
- Brilliance <=1.2.9
- Transcend <=1.1.9
- Regina Lite <=2.0.5
- Bonkers <=1.0.5
- NatureMag Lite - No patch available (recommended to uninstall from site)
According to Wordfence analysts, the attackers are updating the 'users_can_register' option to 'enabled' and setting the 'default_role' option to 'administrator' in most cases.
This makes it possible for threat actors to register as an administrator on a vulnerable site and take over the site.
The top three offending IPs include:
- 144.91.111.6 with 430,067 attacks blocked
- 185.9.156.158 with 277,111 attacks blocked
- 195.2.76.246 with 274,574 attacks blocked
To check if their site has already been compromised, admins should review all user accounts and look for any unauthorised user accounts.
If case any rogue addition is found, admins should delete it immediately.
Admins are also recommended to review the site's settings at 'http://examplesite\\[.]com/wp-admin/options-general.php' and ensure that the Membership setting and 'New User Default Role' are correctly set.
Admins should always make sure to update plugins and themes on the WordPress sites as soon as possible.
This is not the first example of attackers exploiting bugs in plugins to target WordPress sites.
In 2019, cybercriminals attacked Mailgun's website by exploiting an unpatched cross-site scripting vulnerability in a WordPress plugin named 'Yuzo Related Posts'. Using the vulnerability, hackers were able to inject malicious code into sites, which redirected incoming visitors to a malicious website.
Also in 2019, users of a popular plugin named 'Social Warfare' were asked to immediately update or disable the plugin after security researchers found that hackers were exploiting a XSS flaw in the plugin to attack websites. The security flaw enabled hackers to inject JavaScript code into the social sharing links present on a website's posts. The plugin was eventually removed from the WordPress platform.
In 2017, a popular WordPress plug-in installed on around 300,000 websites was compromised with malicious code opening a back door into the websites.
Last month, it also emerged that attackers breached web-hosting firm GoDaddy, gaining access to the information of nearly 1.2 million active and inactive Managed WordPress customers.
The attacker was able to view their customer numbers and email addresses, and could also see passwords for the secure file transfer protocol and database, as well as database usernames, for active customers.