On December 9, 2021, the Wordfence Threat Intelligence team noticed a massive amount of hacker attacks that targeted certain vulnerabilities.
These vulnerabilities enable attackers to update a variety of arbitrary options on sites that are vulnerable.
The Wordfence network, over the past 36 hours from December 8th to December 9th, has blocked over 13.7 million attacks that were targeting at least four different plugins.
Certain themes were also targeted, such as the Epsilon Framework themes.
These attacks are wide-ranging, originating from 16,000 different IP addresses, and could potentially affect over 1.6 million sites.
Examination of the Attack Data
The plugins that are being targeted include the following:
- Kiwi Social Share – Patched since November 12, 2018
- WordPress Automatic – Patched since August 23, 2021
- Pinterest Automatic – Patched since August 23, 2021
- PublishPress Capabilities
- Epsilon Framework Themes
What’s happening is that there is an unauthenticated arbitrary options update vulnerability that is being spread throughout these sites that have these plugins installed on them.
Not to mention which, a Function Injection vulnerability in the Epsilon Framework themes is being targeted.
The goal of these attacks is to attain control of any user account under the ‘administrator’ role.
The final end goal of this means that these randomly accessed accounts can all take control of these sites. Any bad actor behind the attack could own it after such an attack.
Wordfence reports that there was very little activity from attackers who were targeting these vulnerabilities until December 8, 2021.
They are posing an educated guess that the patched vulnerabilities may have inspired these bad actors to target arbitrary options update vulnerabilities in one large campaign that is targeting thousands of sites.
The attackers are targeting and updating the following option: users_can_register. They are setting this to enabled, and the default_role option is being set to ‘administrator’ so they can easily take over a site.
Wordfence states:
Which IPs Are the Offending IPs?
Wordfence reports that the top 10 offending IPs over the past 36 hours since December 8th include:
185.9.156.158 with 277,111 attacks blocked.
195.2.76.246 with 274,574 attacks blocked.
37.187.137.177 with 216,888 attacks blocked.
51.75.123.243 with 205,143 attacks blocked.
185.200.241.249 with 194,979 attacks blocked.
62.171.130.153 with 192,778 attacks blocked.
185.93.181.158 with 181,508 attacks blocked.
188.120.230.132 with 158,873 attacks blocked.
104.251.211.115 with 153,350 attacks blocked.
What Is the Severity of These Vulnerabilities?
They are incredibly severe. They result in bad actors being able to take over your site. So, imagine this happening on a much larger scale compared to a single site.
The immense network that these bad actors will gain as a result of these activities is unprecedented.
Yes, these bad actors could utilize these networks for creating links back to their sites.
Which Plugins and Themes Are Affected?
Wordfence reports that the following plugins and versions are compromised:
- PublishPress Capabilities <= 2.3
- Kiwi Social Plugin <= 2.0.10
- Pinterest Automatic <= 4.14.3
- WordPress Automatic <= 3.53.2
The following are the affected Epsilon Framework theme versions:
- Shapely <=1.2.8
- NewsMag <=2.4.1
- Activello <=1.4.1
- Illdy <=2.1.6
- Allegiant <=1.2.5
- Newspaper X <=1.3.1
- Pixova Lite <=2.0.6
- Brilliance <=1.2.9
- MedZone Lite <=1.2.5
- Regina Lite <=2.0.5
- Transcend <=1.1.9
- Affluent <1.1.0
- Bonkers <=1.0.5
- Antreas <=1.0.6
NatureMag Lite – No patch known. Recommended to uninstall from site.
Bottom Line: Update Your Plugins and Themes if You Run Any of the Affected Ones Listed
You should have updated and patched plugins already downloaded when you download and install them.
The updated and patched versions will have these vulnerabilities repaired.
Any time that a major attack like this is announced it’s always a good idea to make sure that you update any affected plugins and themes.