More than 1.6 million WordPress sites have been targeted by 13.7 million attacks exploiting security flaws in four different plugins and numerous Epsilon Framework themes over a 36-hour period, according to Threatpost
Wordfence researchers reported that threat actors have been abusing already addressed "unauthenticated arbitrary options update vulnerabilities" in the Kiwi Social Share, Pinterest Automatic, WordPress
Automatic, and PublishPress Capabilities plugins, according to researchers. Moreover, a function-injection flaw in 15 Epsilon Framework themes, installed in over 150,000 sites, is also being exploited.
Organizations using the impacted plugins or themes have been urged to immediately apply updates to ensure protection. Researchers noted that system admins could determine potential compromise by checking whether any user accounts are unauthorized.
"If the site is running a vulnerable version of any of the four plugins or various themes, and there is a rogue user account present, then the site was likely compromised via one of these plugins. Please remove any detected user accounts immediately," added researchers.