Malicious actors have reportedly scanned approximately 1.6 million websites in an attempt to exploit a previously disclosed buggy WordPress plugin arbitrary file upload vulnerability.
The vulnerability, tracked as CVE-2021-24284, targets the Kaswara Modern WPBakery Page Builder Addons and, when exploited, allows criminals to upload malicious JavaScript files and completely take over the organization’s website. even possible.
Wordfence disclosed the vulnerability nearly three months ago and warned in a new advisory this week that criminal attacks are on the rise — the WordPress security shop hits customer sites an average of 443,868 times per day. claims to have blocked an attack attempt by
The software developer never patched the bug and the plugin is currently closed. This means that all versions are susceptible to attack. Bug hunters estimate that between 4,000 and 8,000 websites still have the vulnerable plugin installed, and 1,599,852 unique sites were targeted, the majority of which were running the plugin. did not.
However, if you’re still in the camp of running buggy plugins, now is a good time to unplug.
Additionally, even if not directly affected, any of these vulnerable websites could be compromised and defaced to engage in other attacks such as phishing or hosting malware. , showing that even minor plugins can facilitate broader cybercrime on the Internet.
“We strongly recommend that you remove Kaswara Modern WPBakery Page Builder Addons completely as soon as possible and find alternatives as your plugin is unlikely to receive a patch for this critical vulnerability,” warns Wordfence. did.
According to security vendors, most attacks start with a POST request sent to /wp-admin/admin-ajax.php using the plugin’s uploadFontIcon AJAX action, allowing the malicious party to access the victim’s website. Malicious files can be uploaded. Wordfence explained:
The logs may show the following query string for these events:
Our threat intelligence team also noted that most of the exploit attempts came from these 10 IPs.
- Blocked 1,591,765 exploit attempts on 217.160.48.108
- 5.9.9.29 blocked 898,248 exploit attempts
- 2.58.149.35 blocked 390,815 exploit attempts
- 276,006 exploit attempts blocked on 20.94.76.10
- 212,766 exploit attempts blocked on 20.206.76.37
- 187,470 exploit attempts blocked on 20.219.35.125
- 102,658 exploit attempts blocked on 20.223.152.221
- 5.39.15.163 blocked 62,376 exploit attempts
- Blocked 32,890 exploit attempts on 194.87.84.195
- 31,329 exploit attempts blocked on 194.87.84.193
Most attacks also include an attempt to upload a zip file named a57bze8931.zip. Once this file is installed, the criminal can continue to upload software to the victim’s girlfriend’s website.
Additionally, according to Wordfence, some of the attacks also contain indications of the NDSW Trojan horse. This redirects site visitors to a malicious website. This is another reminder that it’s time to remove the patch now. ®
