WordPress Attacks

Overview

There’s been a huge surge of attacks against WordPress sites.
4 individual plugins are targeted as well as a number of Epsilon Framework themes. Attackers are using the vulnerability to change configuration options on the sites which would then allow them to add new admin users.

Impact

Remote attackers are able to take over vulnerable WordPress installations.

Vulnerability Detection

Check for new user accounts.
Check the settings panel for membership options.

Affected Products

Targeted WordPress plugins:

• PublishPress Capabilities <= 2.3
• Kiwi Social Plugin <= 2.0.10
• Pinterest Automatic <= 4.14.3
• WordPress Automatic <= 3.53.2

Epsilon Framework themes:

• Shapely <=1.2.8
• NewsMag <=2.4.1
• Activello <=1.4.1
• Illdy <=2.1.6
• Allegiant <=1.2.5
• Newspaper X <=1.3.1
• Pixova Lite <=2.0.6
• Brilliance <=1.2.9
• MedZone Lite <=1.2.5
• Regina Lite <=2.0.5
• Transcend <=1.1.9
• Affluent <1.1.0
• Bonkers <=1.0.5
• Antreas <=1.0.6
• NatureMag Lite – No patch

Containment, Mitigations & Remediations

Update the plugin where possible.
For the unpatched theme, removal is recommended

Indicators of Compromise

144[.]91[.]111[.]6
185[.]9[.]156[.]158
195[.]2[.]76[.]246
37[.]187[.]137[.]177
51[.]75[.]123[.]243
185[.]200[.]241[.]249
62[.]171[.]130[.]153
185[.]93[.]181[.]158
188[.]120[.]230[.]132
104[.]251[.]211[.]115

Threat Landscape

WordPress plugins are a popular target for criminals as they can easily be repurposed as phishing sites.

Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs