WordPress is considered one of the most popular Content Management Frameworks the web has ever seen.
It is said that in 2021, WordPress is powering 39.5% of all websites on the internet, or up from powering 35% of sites in 2020. Counting only sites that use a CMS, WordPress has a market share of 64.1%, as of January 2021. That number is huge, and is going to grow the more the web grows.
But WordPress is just like any other product out there, that it can have flaws.
And this time, four WordPress plugins and 15 Epsilon Framework themes have been exploited to target at least 1.6 million WordPress sites out there.
Hackers who are actively doing this, use at least 16,000 IP addresses to launch their attacks.
The plugins in question are Kiwi Social Share, WordPress Automatic, Pinterest Automatic, and PublishPress, some of which have been patched dating all the way back to November 2018.
The impacted Epsilon Framework themes include: Activello, Affluent, Allegiant, Antreas, Bonkers, Brilliance, Illdy, MedZone Lite, NatureMag Lite, NewsMag, Newspaper X, Pixova Lite, Regina Lite, Shapely, and Transcend.
The first that discovered this, was WordPress security company Wordfence, which disclosed details of the attacks.
The company said that it had detected and also blocked more than 13.7 million attacks aimed at the plugins and themes in a period of 36 hours. Those attacks were meant to take over websites, and carry out malicious actions on them.
According to Wordfence, most of the attacks were exploiting the users_can_register function, which is an option that enables new user registration.
Hackers were exploiting the flaws, can seize control of targeted websites by exploiting the the default_role setting to grant themselves privileged roles.
In most cases, its the administrator role that the hackers are after, in order to have complete control of the site.
The researchers said that the intrusions spiked only after December 8, indicating that "the recently patched vulnerability in PublishPress Capabilities may have sparked attackers to target various Arbitrary Options Update vulnerabilities as part of a massive campaign," Wordfence's Chloe Chamberland said in a blog post.
To determine if a site has been compromised by these vulnerabilities, Wordfence recommends WordPress site owners to review user accounts registered on their website, to determine if there are any unauthorized user accounts.
If owners of websites that are vulnerable by the aforementioned plugins or themes found any rogue accounts, owners can remove any detected user accounts immediately.
"It is also important to review the settings of the site and ensure that they have been set back to their original state," said Wordfence.
"You can find these settings by going to the http://examplesite[.]com/wp-admin/options-general.php page."
"Please make sure the 'Membership' setting is correctly set to enabled or disabled, depending on your site, and validate that the 'New User Default Role' is appropriately set. We strongly recommend not using 'Administrator' for the new user default role as this can lead to inevitable site compromise.
Following the news, WordPress site owners running any of the aforementioned plugins or themes are recommended to apply the latest fixes to mitigate the threat.