Wordfence Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites.

Upon investigation, the research team has uncovered an active attack targeting over a million WordPress sites. Over the past 36 hours, the Wordfence network has blocked over 13.7 million attacks targeting four different plugins and several Epsilon Framework themes across over 1.6 million sites and originating from over 16,000 different IP addresses.

The top 10 offending IPs over the past 36 hours include:

  • with 430,067 attacks blocked.
  • with 277,111 attacks blocked.
  • with 274,574 attacks blocked.
  • with 216,888 attacks blocked.
  • with 205,143 attacks blocked.
  • with 194,979 attacks blocked.
  • with 192,778 attacks blocked.
  • with 181,508 attacks blocked.
  • with 158,873 attacks blocked.
  • with 153,350 attacks blocked.

The affected plugins and their versions are:

Buy Me A Coffee
  • PublishPress Capabilities
  • Kiwi Social Plugin
  • Pinterest Automatic
  • WordPress Automatic

The targeted Epsilon Framework themes are:

  • Shapely
  • NewsMag
  • Activello
  • Illdy
  • Allegiant
  • Newspaper X
  • Pixova Lite
  • Brilliance
  • MedZone Lite
  • Regina Lite
  • Transcend
  • Affluent
  • Bonkers
  • Antreas
  • NatureMag Lite – No patch available

How Do I Know If My Site Has Been Infected and What Should I do?

The attackers are updating the users_can_register option to enabled and setting the default_role option to `administrator` in most cases.

You can find these settings by going to the http://examplesite[.]com/wp-admin/options-general.php page. Please make sure the `Membership` setting is correctly set to enabled or disabled, depending on your site, and validate that the `New User Default Role` is appropriately set.

Crypto Firm Mixin Hit By $200 Million Hack, Halts Services

It is recommended to update your plugins and themes as soon as possible, even if they’re not in the above list.