Mass exploitation of WordPress websites is in progress, with 1.6 million domains experiencing about 13.7 million cyber attacks within 36 hours. At least 16,000 IP addresses took part in the large-scale attack, according to WordPress security firm WordFence in a report published on December 9.
WordFence says that the hackers target multiple vulnerable WordPress plugins and themes with one template having no security patches.
The attackers’ motive is to gain administrative privileges and completely take over vulnerable websites.
Attackers activate registration and default admin roles on WordPress websites
The researchers observed that the attackers changed the ‘users_can_register’ option to enabled before setting the ‘default_role’ option to ‘administrator.’
To mitigate the impact of potential compromise site owners should visit http://examplesite[.]com/wp-admin/options-general.php and ensure that “membership” was not set to ‘anybody can register’ and the ‘New User Default Role’ wasn’t set to the ‘administrator’ role.
Additionally, website owners should check for rogue additions to plugins, user accounts, and user roles.They should immediately update their sites, themes, and plugins and uninstall the NatureMag Lite theme. The WordPress theme does not currently have a patched version. WordFence also provides a comprehensive cleanup guide for securing compromised WordPress websites.
However, the WordPress backend allows administrators to edit source code files. Consequently, the attackers could introduce other loopholes on compromised websites.
Cyber attack targets four vulnerable WordPress plugins and 15 Epsilon themes
WordFence says the ongoing wave of attacks began on Dec 8, after developers patched PublishPress Capabilities vulnerabilities on Dec 6.
The company noted that the large-scale WordPress cyber attacks targeted the “unauthenticated arbitrary options update vulnerabilities” in Kiwi Social Share (2018), WordPress Automatic, Pinterest Automatic, and PublishPress Capabilities plugins.
The researchers also discovered that WordPress Kiwi Social Sharing plugin versions older than 2.0.11 allow the attackers to modify the wp_options table to create administrator accounts or redirect a blog to another site.
The attackers are also targeting a function-injection vulnerability in Epsilon Framework themes allowing remote code execution (RCE). WordFence estimated that at least 150,000 websites use the framework.
“If the site is running a vulnerable version of any of the four plugins or various themes, and there is a rogue user account present, then the site was likely compromised via one of these plugins,” warned WordFence researchers. “Please remove any detected user accounts immediately.”
Cyber attacks targeting WordPress sites
The recent cyber attack occurred hot on the heels of another security vulnerability in the ‘WPS Hide Login’ WordPress plugin that exposed secret admin login pages of more than 1 million websites. The plugin intends to hide the administrator’s wp-admin login page to prevent attacks from automated scripts and hackers who assume the page’s location.
The themes were also subject to a massive probing cyber attack in 2020 involving more than 18,000 IP addresses when WordFence recorded 7.5 million cyber attacks targeting 1.5 million websites. However, the cyber attacks attempted to determine whether the websites had the targeted vulnerabilities in themes instead of performing a complete exploit chain.
Uriel Maimon, senior director of emerging technologies at PerimeterX noted that WordPress had become a regular victim of cyber attacks.
“Shadow Code introduced via third-party plugins and frameworks vastly expands the attack surface for websites,” Maimon said. “As a result, website owners need to be vigilant about third-party plugins and frameworks and stay on top of security updates. They should secure their websites using web application firewalls, as well as client-side visibility solutions that can reveal the presence of malicious code on their sites.”