Thousands of websites run buggy WordPress plugin that allows complete takeover
All versions are susceptible, there's no patch, so now's a good time to remove this add-on
Miscreants have reportedly scanned almost 1.6 million websites in attempts to exploit an arbitrary file upload vulnerability in a previously disclosed buggy WordPress plugin.
Wordfence disclosed the flaw almost three months ago, and in a new advisory this week warned that criminals are increasing attacks — the WordPress security shop claims it blocked an average of 443,868 attack attempts per day on its customers' sites.
Software developers never patched the bug, and the plugin is now closed, which means that all versions are susceptible to an attack. The bug hunters estimated between 4,000 and 8,000 websites still have the vulnerable plugin installed, and noted that while 1,599,852 unique sites were targeted, a majority of those weren't running the plugin.
However, if you fall into the still-running-the-buggy-plugin camp, now is a good time to pull the plug.
And, furthermore, even if you aren't directly affected, any of these vulnerable websites could be compromised and altered to play a role in other attacks, such as phishing or hosting malware. So, in a way, this demonstrates how even minor plugins can fuel wider cybercrime on the internet.
"We strongly recommend completely removing Kaswara Modern WPBakery Page Builder Addons as soon as possible and finding an alternative as it is unlikely the plugin will ever receive a patch for this critical vulnerability," Wordfence warned.
- About half of popular websites tested found vulnerable to account pre-hijacking
- That critical vulnerability might not be the first you should patch
- Time for people to patch backup plugin for WordPress
The security vendor said most of the attacks begin with a POST request sent to /wp-admin/admin-ajax.php using the plugin's uploadFontIcon AJAX action, which allows miscreants to upload a malicious file to the victim's website. Wordfence explained:
Your logs may show the following query string on these events:
The threat intel team also noted that most of the exploit attempts coming from these 10 IPs:
- 18.104.22.168 with 1,591,765 exploit attempts blocked
- 22.214.171.124 with 898,248 exploit attempts blocked
- 126.96.36.199 with 390,815 exploit attempts blocked
- 188.8.131.52 with 276,006 exploit attempts blocked
- 184.108.40.206 with 212,766 exploit attempts blocked
- 220.127.116.11 with 187,470 exploit attempts blocked
- 18.104.22.168 with 102,658 exploit attempts blocked
- 22.214.171.124 with 62,376 exploit attempts blocked
- 126.96.36.199 with 32,890 exploit attempts blocked
- 188.8.131.52 with 31,329 exploit attempts blocked
Most of the attacks also include an attempt to upload a zip file named a57bze8931.zip, which, once installed, allows the criminal to keep upload software nasties to the victim's website.
Additionally, some of the attacks also include signs of the NDSW trojan, according to Wordfence. This redirects site visitors to malicious websites, which, again is a good reminder that now's the time to remove the patch now. ®