Researchers at Wordfence have identified an attack that is targeting over a million vulnerable WordPress websites. The threat actor is targeting vulnerabilities that make it possible for attackers to update arbitrary options on these sites. The attacks are originating from over 16,000 IP addresses and are targeting four different WordPress plugins and several Epsilon Framework themes.
Affected plugins include:
- PublishPress Capabilities
- Kiwi Social Plugin
- Pinterest Automatic
- WordPress Automatic
Targeted Epsilon Framework Themes:
- Shapely
- NewsMag
- Activello
- Illdy
- Allegiant
- Newspaper X
- Pixova Lite
- Brilliance
- MedZone Lite
- Regina Lite
- Transcend
- Affluent
- Bonkers
- Antreas
- NatureMag Lite
In most cases the threat actors are enabling the users_can_register option and setting the default_role option to administrator, which allows the threat actor to register an account as an administrator and take over the website.
Analyst Notes
WordPress site administrators can determine if their site has been compromised by reviewing the user accounts on the site to determine if there are any unauthorized user accounts. If a rogue user account is found, it is advised that the account be removed immediately. Administrators should also verify if there are vulnerable versions of the listed plugins configured and update accordingly. As always, websites should be updated and patched to the newest versions to ensure vulnerabilities cannot be exploited by threat actors.
https://securityaffairs.co/wordpress/125469/hacking/wordpress-sites-under-attack.html?utm_source=feedly&utm_medium=rss&utm_campaign=wordpress-sites-under-attack