Wordfence Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites.
Upon investigation, the research team has uncovered an active attack targeting over a million WordPress sites. Over the past 36 hours, the Wordfence network has blocked over 13.7 million attacks targeting four different plugins and several Epsilon Framework themes across over 1.6 million sites and originating from over 16,000 different IP addresses.
The top 10 offending IPs over the past 36 hours include:
- 144.91.111.6 with 430,067 attacks blocked.
- 185.9.156.158 with 277,111 attacks blocked.
- 195.2.76.246 with 274,574 attacks blocked.
- 37.187.137.177 with 216,888 attacks blocked.
- 51.75.123.243 with 205,143 attacks blocked.
- 185.200.241.249 with 194,979 attacks blocked.
- 62.171.130.153 with 192,778 attacks blocked.
- 185.93.181.158 with 181,508 attacks blocked.
- 188.120.230.132 with 158,873 attacks blocked.
- 104.251.211.115 with 153,350 attacks blocked.
The affected plugins and their versions are:
- PublishPress Capabilities
- Kiwi Social Plugin
- Pinterest Automatic
- WordPress Automatic
The targeted Epsilon Framework themes are:
- Shapely
- NewsMag
- Activello
- Illdy
- Allegiant
- Newspaper X
- Pixova Lite
- Brilliance
- MedZone Lite
- Regina Lite
- Transcend
- Affluent
- Bonkers
- Antreas
- NatureMag Lite – No patch available
How Do I Know If My Site Has Been Infected and What Should I do?
The attackers are updating the users_can_register option to enabled and setting the default_role option to `administrator` in most cases.
You can find these settings by going to the http://examplesite[.]com/wp-admin/options-general.php page. Please make sure the `Membership` setting is correctly set to enabled or disabled, depending on your site, and validate that the `New User Default Role` is appropriately set.
It is recommended to update your plugins and themes as soon as possible, even if they’re not in the above list.
