Wordfence analysts have discovered a significant wave of cyberattacks originating from 16,000 IPs and targeting more than 1.6 million WordPress sites in the past few days.
Four WordPress plugins and fifteen Epsilon Framework themes are targeted by the threat actors, one of which has no fix available. Some vulnerable plugins were fixed as early as 2018, while others were just patched this week.
The following plugins and their versions are affected:
-
Kiwi Social Plugin
-
PublishPress Capabilities
-
WordPress Automatic
-
Pinterest Automatic
The Epsilon Framework themes that are being targeted are:
-
NewsMag
-
Shapely
-
Activello
-
Illdy
-
Newspaper X
-
Allegiant
-
Pixova Lite
-
Brilliance
-
MedZone Lite
-
Regina Lite
-
Affluent
-
Antreas
-
Transcend
-
Bonkers
-
NatureMag Lite – No patch available
“In most cases, the attackers are updating the users_can_register option to enabled and setting the default_role option to administrator,” Wordfence explains. “This makes it possible for attackers to register on any site as an administrator effectively taking over the site.”
To see whether your site is already hacked, check all your user accounts and search for any rogue additions requiring deletion. Next, go to “http://examplesite[.]com/wp-admin/options-general.php” and look through the site’s settings, paying special attention to the Membership and the new user default role settings.
Even if your plugins and themes aren’t listed above, it’s a good idea to update them as soon as possible. If you’re using NatureMag Lite, you should uninstall it right now because there’s no way to cure it.
If your site has already been hacked, upgrading the plugins will not remove the issue. In this scenario, it is recommended that you first follow the methods provided in thorough clean-up guides. Keep a minimum number of plugins on your WordPress site since this will drastically lower your chances of being targeted and hacked in the first place.
