[German]Security vendor WordFence's Threat Intelligence team noticed a dramatic increase in vulnerability attacks on WordPress instances on December 9, 2021. In the past 36 hours, the Wordfence network has blocked over 13.7 million attacks against four different plugins and several Epsilon framework themes on over 1.6 million websites, originating from over 16,000 different IP addresses.
Advertising
The attackers targeted 4 individual plugins with unauthenticated, arbitrary option update vulnerabilities. The four plugins are:
- Kiwi Social Share, which has been patched since November 12, 2018,
- WordPress Automatic, patched since August 23, 2021, and
- Pinterest Automatic, patched since August 23, 2021, and
- PublishPress Capabilities, patched since December 6, 2021.
In addition, the attackers target a Function Injection vulnerability in several Epsilon Framework themes and attempt to update arbitrary options. Here is the list of Epsilon Framework themes:
- Shapely
- NewsMag
- Activello
- Illdy
- Allegiant
- Newspaper X
- Pixova Lite
- Brilliance
- MedZone Lite
- Regina Lite
- Transcend
- Affluent
- Bonkers
- Antreas
- NatureMag Lite (kein Patch verfügbar)
In most cases, attackers set the WordPress users_can_register option to enabled and set the default_role option to `administrator.` This allows attackers to register as an administrator on any website and take over the site.
very little attacker activity targeting any of these vulnerabilities through December 8, 2021. This suggests that the recently patched PublishPress Capabilities vulnerability may have prompted attackers to target various vulnerabilities in the Arbitrary Options Update as part of a large-scale campaign.
Attacks on WordPress instances, source: WordFence
Advertising
Protect and audit WordPress
The WordFence blog post 1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs has more details on the attacks and updated plugins. Users running WordFence (whether Free or Pro) are protected by firewall rules and plugin updates.
To check if the WordPress instance is compromised, go to the dashboard and under Settings – General check the Membership option (should be unchecked if you don't allow user registration). And the default role of a new user should be set to Subscriber. If the options are checked and set to Administrator without being planned by the administrator of the WordPress instance, this is an indication of a possible compromise. Then you should check under Users to see if there are entries that don't belong there. (via)
I note again that my decision to use a minimal set of plugins and themes, updated in a timely manner, is not affected by the above vulnerabilities. In addition, the decision not to register users (there are only two accounts for the operator of the websites. This reduces the vulnerability enormously. And WordFence is running here as well.
