3rd Party Risk Management , Application Security , Governance & Risk Management
Massive Attack Targets 1.6 Million WordPress Sites
13.7 Million Attacks in 36 Hours Seen From More Than 16,000 Different IP AddressesA massive wave of ongoing attacks against more than 1.6 million WordPress sites has been identified by researchers at security firm Wordfence Security. They report seeing more than 13.7 million different attack attempts over a 36-hour period, all of which focus on exploiting four different WordPress plug-ins and several Epsilon framework themes.
The attack campaign, which originates from more than 16,000 different IP addresses, makes it possible for attackers to take over vulnerable sites through the use of arbitrary option updating.
The researchers recommend that all sites be updated to the latest, patched versions of the plug-ins and themes.
WordPress plug-ins continue to be a major risk to any web application, making them a regular target for attackers, says Uriel Maimon, senior director of emerging technologies at threat protection services provider PerimeterX.
Vulnerability Found
Wordfence researchers say attackers are targeting unauthenticated arbitrary options update flaws in four different plug-ins. Of the plug-ins, Kiwi Social Share was last patched in November 2018; WordPress Automatic and Pinterest Automatic on Aug. 23; and PublishPress Capabilities on Dec. 6.
"Due to the severity of these vulnerabilities and the massive campaign targeting them, it is incredibly important to ensure your site is protected from compromise," Wordfence says. "We strongly recommend ensuring that any sites running one of these plug-ins or themes has been updated to the patched version. Simply updating the plug-ins and themes will ensure that your site stays safe from compromise against any exploits targeting these vulnerabilities."
Wordfence researchers report seeing scant attempts to target these flaws before Wednesday. Given that timing, they suspect that the PublishPress Capabilities patch led attackers to reverse-engineer the flaw and begin targeting various arbitrary options update vulnerabilities.
"Shadow code introduced via third-party plug-ins and frameworks vastly expands the attack surface for websites," Maimon says. "As a result, website owners need to be vigilant about third-party plug-ins and frameworks and stay on top of security updates. They should secure their websites using web application firewalls, as well as client-side visibility solutions that can reveal the presence of malicious code on their sites."
Attackers are also targeting a function injection vulnerability in various Epsilon framework themes to try and update arbitrary options.
The targeted Epsilon framework themes are Activello, Affluent, Allegiant, Antreas, Bonkers, Brilliance, Illdy, MedZone Lite, NewsMag, Newspaper X, Pixova Lite, Regina Lite, Shapely and Transcend. Another affected theme is NatureMag Lite, and as no patch is yet available, the researchers recommend that anyone with this theme installed on their WordPress site immediately delete it.
"In most cases, the attackers are updating the 'users can register' option to 'enabled' and setting the 'default role' option to 'administrator.' This makes it possible for attackers to register on any site as an administrator, effectively taking over the site," Wordfence says.
Vulnerable Plug-ins
The affected plug-ins and their versions include PublishPress Capabilities version 2.0.10 and before. This provides a single point of control over all permissions on a WordPress site - for example, for managing user roles and permissions given to content editors. It has more than 100,000 active installations.
The second plug-in is Kiwi Social Plug-In version 2.0.10 and before, which has more than 10,000 active installations and allows a user to let site visitors share content on social media. The third affected plug-in is Pinterest Automatic version 4.14.3 and before, which helps pin images from users' posts automatically to Pinterest. It has more than 7,400 installations.
The last plug-in affected is WordPress Automatic version 3.53.2 and before, which has more than 28,825 implementations and provides the ability to post to WordPress automatically from almost any website. It can also import content from popular sites such as YouTube and Twitter via their APIs, or from almost any website of a user's choice via its scraping modules.
Wordfence researchers recommend that users review user accounts on the site to determine if any unauthorized user accounts have been added.
"If the site is running a vulnerable version of any of the four plug-ins or various themes and there is a rogue user account present, then the site was likely compromised via one of these plug-ins. Please remove any detected user accounts immediately," Wordfence says. "It is also important to review the settings of the site and ensure that they have been set back to their original state."
In October, Wordfence researchers warned that a WordPress plug-in installed in more than 1 million websites was vulnerable to high-severity bugs.
The vulnerabilities in the OptinMonster plug-in, which helps customers create sales campaigns, would have allowed attackers to export sensitive information and add malicious pieces of code or JavaScript to all affected WordPress sites (see: WordPress Plug-In Bugs Put 1 Million-Plus Sites At Risk).
These aren't the first vulnerabilities in WordPress plug-ins of which Wordfence researchers have warned. In March, they reported that a WordPress plug-in called Tutor LMS had several vulnerabilities associated with the unprotected Ajax endpoints. These flaws were later patched. (see: WordPress LMS Tutor Plug-In Flaws Patched).