Pierluigi Paganini July 15, 2022

Researchers spotted a massive campaign that scanned close to 1.6 million WordPress sites for vulnerable Kaswara Modern WPBakery Page Builder Addons.

The Wordfence Threat Intelligence team observed a sudden increase in attacks targeting the Kaswara Modern WPBakery Page Builder Addons. Threat actors are attempting to exploit an arbitrary file upload vulnerability tracked as CVE-2021-24284. The plugin has been closed, but developers haven’t addressed the issue that still impacts all versions of the plugin. An attacker can trigger the issue to upload malicious PHP files to a website using the vulnerable component, leading to code execution and potentially take over the site. Once they’ve established a foothold, attackers can also inject malicious JavaScript into files on the site, among other malicious actions.

The experts strongly recommend completely removing Kaswara Modern WPBakery Page Builder Addons as soon as possible and installing an alternative because likely the plugin will never receive a security fix for this issue.

Wordfence solution is currently protecting over 1,000 websites that are using the plugin, but they estimate that the total number of websites that still have the plugin installed is between 4,000 and 8,000.

“We have blocked an average of 443,868 attack attempts per day against the network of sites that we protect during the course of this campaign. Please be aware that while 1,599,852 unique sites were targeted, a majority of those sites were not running the vulnerable plugin.” reads the advisory published by Wordfence.”The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website.”” ”

Administrators could check if they have been targeted by the threat actors looking for the following query string in their logs:

/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1

The researchers observed that the attack attempts originated from 10,215 IP addresses, most of them coming from ten IPs.

“Based on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php will be extracted into the /wp-content/uploads/kaswara/icons/ directory.” concludes the report. “This file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website. The indicators observed in these attacks also include signs of the NDSW trojan, which injects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, WPBakery Page Builder)

[adrotate banner=”5″]

[adrotate banner=”13″]