An ongoing large-scale assault effort coming from 16,000 IP addresses has affected up to 1.6 million WordPress websites by leveraging flaws in four plugins and 15 Epsilon Framework themes.

Wordfence, a WordPress security firm, announced Thursday that it has discovered and prevented more than 13.7 million attempts intended at plugins and themes over the course of 36 hours, with the intention of gaining control of websites and carrying out harmful operations.

The affected plugins include Kiwi Social Share (2.0.10), WordPress Automatic (3.53.2), Pinterest Automatic (4.14.3), and PublishPress Capabilities (2.3), most of which have been fixed since November 2018. The following are the Epsilon Framework themes that have been affected, along with their versions:

Activello (1.4.1), Affluent (1.0.1), Allegiant (1.2.5), Antreas (1.0.6), Brilliance (1.2.9), Illdy (2.1.6), MedZone Lite (1.2.5), NatureMag Lite (no known patch available), NewsMag (2.4.1, 2.4.1, 2.4.1, 2.4.1), Pixova Lite (2.0.6), Regina Lite (2.0.5), Shapely (1.2.8), Transcend (1.1.9), Newspaper X (1.3.1), Pixova Lite (2.0.6), Regina Lite (2.0.5), Shapely (1.2.8), Transcend (1.1.9).

The majority of the attacks detected by Wordfence require the adversary to enable the “users can register” feature and set the “default role” option to administrator, enabling the malicious user to register as an administrator and take control of the vulnerable sites.

Furthermore, the incursions are claimed to have increased just after December 8, suggesting that “the recently fixed vulnerability in PublishPress Capabilities may have spurred attackers to target numerous Arbitrary Options Update vulnerabilities as part of a huge campaign,” according to Wordfence’s Chloe Chamberland.

Because of the ongoing attack, WordPress site owners who use any of the abovementioned plugins or themes should update to the latest updates to protect themselves.