Threat actors are actively exploiting security flaws in four plugins and Epsilon themes to assign themselves administrative accounts and take over a staggering 1.6 million WordPress sites.
Cybercrooks Targeting 1.6 Million WordPress Sites
Hackers are targeting more than 1.6 million websites, according to researchers who have spotted 13.7 million attacks in 36 hours originating from 16,000 IPs. The malicious attempts exploit four plugins and a number of Epsilon Framework themes.
In a recent analysis, Wordfence experts said that the cybercriminals aimed to complete site takeover using administrative privilege.
Exploiting Plugin Vulnerabilities
Wordfence’s post wrote that the malicious actors are seeking to exploit critical “unauthenticated arbitrary options update vulnerabilities” in the following plugins: Kiwi Social Share (patched in 2018), WordPress Automatic, Pinterest Automatic, and PublishPress Capabilities (all fixed in 2021).
“In most cases, the attackers are updating the ‘users_can_register’ option to enabled and setting the ‘default_role’ option to `administrator,’” Wordfence researchers noted. “This makes it possible for attackers to register on any site as an administrator, effectively taking over the site.”
Wordfence first spotted the activity on December 8, as a likely result of attackers taking an interest in arbitrary options update bugs in general.
Some of the flaws have been exploited in previous attacks. For example, the Ninja Technologies Network, reported a surge in hacker activity specifically against the Kiwi Social Share bug in 2018, starting Dec. 6, shortly after a security patch was released.
“WordPress Kiwi Social Sharing plugin <2.0.11 is currently exploited since Dec. 6,” the firm said in a short alert at the time. “It allows attackers to modify the WordPress wp_options table in order to create administrator accounts or, for instance, redirect the blog to another website.”
Affected versions are as follows:
- Kiwi Social Plugin <= 2.0.10 – Adds functionality to let site visitors share content on social media. 10,000+ installations.
- PublishPress Capabilities <= 2.3 – Allows admins to customize permissions for WordPress user roles, from administrators and editors to authors, contributors, subscribers and custom roles. 100,000+ installations.
- Pinterest Automatic <= 4.14.3 – Pins images from posts automatically to Pinterest.com. 7,400+ sales.
- WordPress Automatic <= 3.53.2 – Imports content to WordPress automatically. 28,000+ sales.
Abusing Epsilon Themes
The bad guys behind the overwhelming attacks are also using a function-injection flaw found in several Epsilon Framework themes, according to Wordfence researchers. The vulnerability allows for remote code execution (RCE). Epsilon Framework themes provide site builders with various design features they need to create a website.
The affected themes (collectively installed on 150,000+ sites) are:
MedZone Lite <=1.2.4
NatureMag Lite – no patch, users should uninstall
Newspaper X <=1.3.1
Pixova Lite <=2.0.5
Regina Lite <=2.0.4
Patching Is A Must
“Due to the severity of these vulnerabilities and the massive campaign targeting them, it is incredibly important to ensure your site is protected from compromise,” according to Wordfence. “We strongly recommend ensuring that any sites running one of these plugins or themes has been updated to the patched version…Simply updating the plugins and themes will ensure that your site stays safe from compromise against any exploits targeting these vulnerabilities.”
To check if your website has been compromised, you can review the user accounts to spot any potentially unauthorized logins.
“If the site is running a vulnerable version of any of the four plugins or various themes, and there is a rogue user account present, then the site was likely compromised via one of these plugins,” researchers noted. “Please remove any detected user accounts immediately.”
Experts recommend that you should also go to the http://examplesite[.]com/wp-admin/options-general.php page and make sure that the “Membership” setting and the “New User Default Role” are both correctly set.
Considering that WordPress is powering over 30% of websites worldwide and plugin bugs are relatively common, attackers will most likely keep targeting the platform and its plugins.