Sprawling Active Attack Aims to Take Over 1.6M WordPress Sites

Cyberattackers are targeting security vulnerabilities in four plugins plus Epsilon themes, to assign themselves administrative accounts.

An active attack against more than 1.6 million WordPress sites is underway, with researchers spotting tens of millions of attempts to exploit four different plugins and several Epsilon Framework themes.

The goal, they said, is complete site takeover using administrative privileges.

The scope of the campaign in notable: The activity is coming from more than 16,000 different IP addresses, according to a Wordfence analysis. There were 13.7 million attacks in the first 36 hours.

Problematic Plugins

Researchers said that the attackers are aiming to exploit critical “unauthenticated arbitrary options update vulnerabilities” in the following plugins: ​​Kiwi Social Share (patched in 2018), and WordPress Automatic, Pinterest Automatic and PublishPress Capabilities (all patched this year).

“In most cases, the attackers are updating the ‘users_can_register’ option to enabled and setting the ‘default_role’ option to `administrator,’” Wordfence researchers noted in a Thursday analysis. “This makes it possible for attackers to register on any site as an administrator, effectively taking over the site.”

The activity started in earnest on Dec. 8, according to Wordfence – possibly as the result of attackers becoming interested in arbitrary options update bugs in general after the PublishPress Capabilities  plugin was patched on Dec. 6.

Some of these have been exploited before. The Ninja Technologies Network, for instance, flagged a spike in activity specifically against the Kiwi Social Share bug in 2018, starting Dec. 6, shortly after it was patched.

“WordPress Kiwi Social Sharing plugin <2.0.11 is currently exploited since Dec. 6,” the firm said in a short alert at the time. “It allows attackers to modify the WordPress wp_options table in order to create administrator accounts or, for instance, redirect the blog to another website.”

Affected versions are as follows:

  • Kiwi Social Plugin <= 2.0.10 – Adds functionality to let site visitors share content on social media. 10,000+ installations.
  • PublishPress Capabilities <= 2.3 – Allows admins to customize permissions for WordPress user roles, from administrators and editors to authors, contributors, subscribers and custom roles. 100,000+ installations.
  • Pinterest Automatic <= 4.14.3 – Pins images from posts automatically to Pinterest.com. 7,400+ sales.
  • WordPress Automatic <= 3.53.2 – Imports content to WordPress automatically. 28,000+ sales.

Time to Patch

“Due to the severity of these vulnerabilities and the massive campaign targeting them, it is incredibly important to ensure your site is protected from compromise,” according to Wordfence. “We strongly recommend ensuring that any sites running one of these plugins or themes has been updated to the patched version…Simply updating the plugins and themes will ensure that your site stays safe from compromise against any exploits targeting these vulnerabilities.”

To determine if a website has been compromised, admins can review the user accounts on the site to determine if there are any that are unauthorized, researchers recommended.

“If the site is running a vulnerable version of any of the four plugins or various themes, and there is a rogue user account present, then the site was likely compromised via one of these plugins,” they explained. “Please remove any detected user accounts immediately.”

Admins should also go to the http://examplesite[.]com/wp-admin/options-general.php page, and should ensure that the “Membership” setting and the “New User Default Role” are both correctly set, they said.

With WordPress powering more than 30 percent of websites globally (455 million sites in total), the platform and third-party plugins will continue to be an attractive target for cyberattackers, especially as plugin bugs are not uncommon. For instance, in October researchers discovered a high-severity vulnerability in the Hashthemes Demo Importer plugin that allows subscribers to wipe sites clean of content.