The developers of the WordPress security plugin, Wordfence, have announced an ongoing attack targeting WordPress-based websites using specific plugins or themes. The developers said that in the last 36 hours, 1.6 million WordPress sites have been attacked from 16,000 different IP addresses.
Non-updated plugins are dangerous
The attackers take advantage of the « Unauthenticated Arbitrary Options Update » vulnerabilities on four different WordPress plugins: Kiwi Social Share, WordPress Automatic, Pinterest Automatic, and PublishPress Capabilities. The attackers also target a Function Injection vulnerability into some of the Epsilon Framework themes. All of those plugins are currently updated with the fix of the vulnerabilities. If you do not update plugins, you should at least update the beforementioned plugins immediately.
As a result of those attacks, the attackers enable the « Anyone can register » option in the WordPress settings as well as changing the « New User Default Role » into « Administrator ». This way, the attackers easily create an account on the site in an Administrator role. With the administrator role, attackers take full control of the WordPress website.
The users can check the beforementioned settings on their website to understand if the website has been attacked; if they are still able to reach the WordPress panel. If the « Anyone Can Register » setting is activated and a new user role is set to « Administrator », you should change those settings and check the users list immediately as well as update the plugins.