Hackers Target 1.6 Million WordPress Sites in Massive Campaign Leveraging Vulnerable Plugins and Themes

Website security geeks have identified a massive wave of cyber-attacks targeting a whopping 1.6 million WordPress websites. The campaign is still active and targets several flawed plugins and themes that let attackers effectively take over the victim site.

Wordfence researchers this week released a report warning that hackers are targeting several vulnerable WordPress components that lets attackers update code strings remotely and take over the affected site.

Targeting four individual plugins with unauthenticated arbitrary options update vulnerabilities, the attackers are updating the users_can_registeroption to ‘enabled’ and setting the default_role option to ‘administrator.’

“This makes it possible for attackers to register on any site as an administrator effectively taking over the site,” the researchers warn.

Affected plugins include PublishPress Capabilities (version 2.3 or older), Kiwi Social Plugin (version 2.0.10 or older), Pinterest Automatic (4.14.3 or older), and WordPress Automatic (3.53.2 or older).

Sites with themes based on the Epsilon Framework are also affected, according to the report.

The analysis reveals that 1.6 million WordPress sites were hit with 13.7 million attacks In 36 hours from 16,000 IPs.

Since there was very little activity from attackers targeting any of these vulnerabilities until December 8, 2021, researchers reason that a recent patch issued for PublishPress Capabilities may have led attackers to try exploiting various Arbitrary Options Update vulnerabilities as part of a bigger campaign.

WordPress site owners who rely on these affected components are strongly advised to update their plugins or themes to the latest (patched) version.

“Please ensure that your sites are running a version higher than any of the ones listed. Simply updating the plugins and themes will ensure that your site stays safe from compromise against any exploits targeting these vulnerabilities,” the researchers note.

To determine if your site has already been compromised, check for the existence of unauthorized user accounts. If your site is running a vulnerable version of any of the four plugins or various themes and there is a rogue user account present, the site was likely compromised. In this case, remove any detected user accounts immediately and reset your site’s settings back to their original state.

It is also strongly recommended that site owners revoke admin rights for new users as default.