Thousands of websites run buggy WordPress plugin that allows complete takeover

All versions are susceptible, there's no patch, so now's a good time to remove this add-on

Miscreants have reportedly scanned almost 1.6 million websites in attempts to exploit an arbitrary file upload vulnerability in a previously disclosed buggy WordPress plugin.

Traced as CVE-2021-24284, the vuln targets Kaswara Modern WPBakery Page Builder Addons and, if exploited, it would allow criminals to upload malicious JavaScript files and even completely take over an organization's website.

Wordfence disclosed the flaw almost three months ago, and in a new advisory this week warned that criminals are increasing attacks — the WordPress security shop claims it blocked an average of 443,868 attack attempts per day on its customers' sites. 

Software developers never patched the bug, and the plugin is now closed, which means that all versions are susceptible to an attack. The bug hunters estimated between 4,000 and 8,000 websites still have the vulnerable plugin installed, and noted that while 1,599,852 unique sites were targeted, a majority of those weren't running the plugin.

However, if you fall into the still-running-the-buggy-plugin camp, now is a good time to pull the plug. 

And, furthermore, even if you aren't directly affected, any of these vulnerable websites could be compromised and altered to play a role in other attacks, such as phishing or hosting malware. So, in a way, this demonstrates how even minor plugins can fuel wider cybercrime on the internet.

"We strongly recommend completely removing Kaswara Modern WPBakery Page Builder Addons as soon as possible and finding an alternative as it is unlikely the plugin will ever receive a patch for this critical vulnerability," Wordfence warned.

The security vendor said most of the attacks begin with a POST request sent to /wp-admin/admin-ajax.php using the plugin's uploadFontIcon AJAX action, which allows miscreants to upload a malicious file to the victim's website. Wordfence explained:

Your logs may show the following query string on these events:

/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1

The threat intel team also noted that most of the exploit attempts coming from these 10 IPs:

  • 217.160.48.108 with 1,591,765 exploit attempts blocked
  • 5.9.9.29 with 898,248 exploit attempts blocked
  • 2.58.149.35 with 390,815 exploit attempts blocked
  • 20.94.76.10 with 276,006 exploit attempts blocked
  • 20.206.76.37 with 212,766 exploit attempts blocked
  • 20.219.35.125 with 187,470 exploit attempts blocked
  • 20.223.152.221 with 102,658 exploit attempts blocked
  • 5.39.15.163 with 62,376 exploit attempts blocked
  • 194.87.84.195 with 32,890 exploit attempts blocked
  • 194.87.84.193 with 31,329 exploit attempts blocked

Most of the attacks also include an attempt to upload a zip file named a57bze8931.zip, which, once installed, allows the criminal to keep upload software nasties to the victim's website. 

Additionally, some of the attacks also include signs of the NDSW trojan, according to Wordfence. This redirects site visitors to malicious websites, which, again is a good reminder that now's the time to remove the patch now. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022