1.6 million WordPress sites under cyber attack from more than 16,000 IP addresses

As many as 1.6 million WordPress sites have been targeted by an active large-scale attack campaign originating from 16,000 IP addresses by exploiting weaknesses in four plugins and 15 Epsilon Framework themes.

WordPress security firm Wordfence, which leaked details of the attacks, said Thursday it detected and blocked more than 13.7 million attacks targeting plugins and themes within 36 hours in an attempt to take control of websites and to carry out malicious actions.

GitHub automatic backups

The plugins in question are Kiwi Social Share (

  • Activello (
  • Well-off (
  • Lightening (
  • Antreas (
  • Bonkers (
  • Gloss (
  • Sick (
  • MedZone Lite (
  • NatureMag Lite (no known patch available)
  • NewsMag (
  • Journal X (
  • Pixova Lite (
  • Regina Lite (
  • Shape (
  • Transcend (

Most of the attacks observed by Wordfence involve the adversary updating the “users_can_register” option (that is, anyone can register) to enabled and setting the “default_role” parameter (that is, (i.e. the default role for users who register on the blog) to be administrator, thus allowing an adversary to register on vulnerable sites as administrator and take control of them.

Additionally, intrusions would not have increased until after December 8, indicating that “the recently patched vulnerability in PublishPress Capabilities may have prompted attackers to target various Arbitrary Options Update vulnerabilities as part of a campaign massive, ”said Chloe Chamberland of Wordfence.

In light of active exploitation, WordPress site owners running any of the aforementioned plugins or themes are recommended to apply the latest patches to mitigate the threat.

Comments are closed.