"Sprawling Active Attack Aims to Take Over 1.6M WordPress Sites"

An active attack against more than 1.6 million WordPress sites is underway, with researchers spotting tens of millions of attempts to exploit four different plugins and several Epsilon Framework themes.  The researchers stated that the adversaries' goal is complete site takeover using administrative privileges.  The researchers noted the activity is coming from more than 16,000 different IP addresses, according to a Wordfence analysis. There were 13.7 million attacks in the first 36 hours.  The researchers said that the attackers are aiming to exploit critical "unauthenticated arbitrary options update vulnerabilities" in the following plugins: ​​Kiwi Social Share (patched in 2018), and WordPress Automatic, Pinterest Automatic and PublishPress Capabilities (all patched this year).  In most cases, the attackers update the 'users_can_register' option to enabled, and then set the 'default_role' option to 'administrator.'  Doing this makes it possible for attackers to register on any site as an administrator, effectively taking over the site.  The activity started on December 8, according to Wordfence.  The attackers are also targeting a function-injection vulnerability present in various Epsilon Framework themes, allowing remote code execution (RCE). Epsilon themes enable site builders to choose different flexible design elements to craft the way a website looks and is organized.  The researchers stated that due to the severity of these vulnerabilities and the massive campaign targeting them, it is incredibly important to ensure that one's site is protected from compromise.  The researchers strongly recommend ensuring that any sites running one of these plugins or themes has been updated to the patched version.  To determine if a website has been compromised, admins can review the user accounts on the site to determine if there are any that are unauthorized.

Threatpost reports: "Sprawling Active Attack Aims to Take Over 1.6M WordPress Sites"