Wordfence analysts have uncovered a massive wave of attacks, coming from 16000 IPs and targeting over 1 million WordPress sites. 

This threat compromises four plugins that are not updated properly to exploit them as well fifteen Epsilon Framework themes– one with no available patch!

The plugins targeted by this plugin infection were patched all the way back in 2018, but some newer ones still haven’t had their vulnerabilities addressed.

With so many vulnerabilities being addressed in a short time period, it is important for site owners to patch their plugins as soon as possible.

The affected plugins and their versions are:

  • PublishPress Capabilities
  • Kiwi Social Plugin
  • Pinterest Automatic
  • WordPress Automatic

The targeted Epsilon Framework themes are:

  • Shapely
  • NewsMag
  • Activello
  • Illdy
  • Allegiant
  • Newspaper X
  • Pixova Lite
  • Brilliance
  • MedZone Lite
  • Regina Lite
  • Transcend
  • Affluent
  • Bonkers
  • Antreas
  • NatureMag Lite – No patch available
Source: Wordfence

“In most cases, the attackers are updating the users_can_register option to enabled and setting the default_role option to administrator,Wordfence explains.

“This makes it possible for attackers to register on any site as an administrator effectively taking over the site.”

Check, update, clean

Here is a list of things to do once you have detected that your site has been compromised:

1) Check all user accounts and remove any rogue additions immediately  

2 ) Review the settings at “http://examplesite[.]com/wp-admin/options-general.php” 

3) Pay attention in Membership and New User default role setting 

It is always a good idea to update your plugins and themes as soon as possible, even if they’re not on this list. 

If you have NatureMag Lite (a plugin), uninstall it immediately- there’s no fix for the threat yet!

Note that updating the plugins won’t eliminate the threat if your site has already been compromised