The Wordfence researchers have detected a large-scale campaign against WordPress websites in which attackers were trying to exploit old cross-site scripting (XSS) vulnerabilities in WordPress plugins and themes in an attempt to steal database credentials.

Wordfence said that between May 29 and May 31 it blocked over 130 million attacks intended to harvest database credentials fr om 1.3 million sites. The goal of the attacks was to download wp-config.php files fr om unpatched websites and gain access to the site’s content and credentials.

Wp-config.php is a file wh ere WordPress stores site’s database information. This configuration file is usually located in the root of WordPress file directories and contains websites’ database credentials and connection information.

“The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem,” Wordfence said.

The researchers said the attacks were launched from over 20,000 different IP addresses that previously were used in another campaign that targeted WordPress sites at the end of April wh ere attackers attempted to inject a malicious JavaScript into websites, which would redirect visitors to malvertising sites or take advantage of an administrator’s session to plant a PHP backdoor.

“If your server is configured to allow remote database access, an attacker with your database credentials could easily add an administrative user, exfiltrate sensitive data, or delete your site altogether. Even if your site does not allow remote database access, an attacker who knows your site’s authentication keys and salts may be able to use them to more easily bypass other security mechanisms,” the researchers pointed out.