Malicious actors have reportedly scanned approximately 1.6 million websites in an attempt to exploit a previously disclosed buggy WordPress plugin arbitrary file upload vulnerability.
Wordfence disclosed the vulnerability nearly three months ago and warned in a new advisory this week that criminal attacks are on the rise — the WordPress security shop hits customer sites an average of 443,868 times per day. claims to have blocked an attack attempt by
The software developer never patched the bug and the plugin is currently closed. This means that all versions are susceptible to attack. Bug hunters estimate that between 4,000 and 8,000 websites still have the vulnerable plugin installed, and 1,599,852 unique sites were targeted, the majority of which were running the plugin. did not.
However, if you’re still in the camp of running buggy plugins, now is a good time to unplug.
Additionally, even if not directly affected, any of these vulnerable websites could be compromised and defaced to engage in other attacks such as phishing or hosting malware. , showing that even minor plugins can facilitate broader cybercrime on the Internet.
“We strongly recommend that you remove Kaswara Modern WPBakery Page Builder Addons completely as soon as possible and find alternatives as your plugin is unlikely to receive a patch for this critical vulnerability,” warns Wordfence. did.
According to security vendors, most attacks start with a POST request sent to /wp-admin/admin-ajax.php using the plugin’s uploadFontIcon AJAX action, allowing the malicious party to access the victim’s website. Malicious files can be uploaded. Wordfence explained:
The logs may show the following query string for these events:
Our threat intelligence team also noted that most of the exploit attempts came from these 10 IPs.
- Blocked 1,591,765 exploit attempts on 18.104.22.168
- 22.214.171.124 blocked 898,248 exploit attempts
- 126.96.36.199 blocked 390,815 exploit attempts
- 276,006 exploit attempts blocked on 188.8.131.52
- 212,766 exploit attempts blocked on 184.108.40.206
- 187,470 exploit attempts blocked on 220.127.116.11
- 102,658 exploit attempts blocked on 18.104.22.168
- 22.214.171.124 blocked 62,376 exploit attempts
- Blocked 32,890 exploit attempts on 126.96.36.199
- 31,329 exploit attempts blocked on 188.8.131.52
Most attacks also include an attempt to upload a zip file named a57bze8931.zip. Once this file is installed, the criminal can continue to upload software to the victim’s girlfriend’s website.
Additionally, according to Wordfence, some of the attacks also contain indications of the NDSW Trojan horse. This redirects site visitors to a malicious website. This is another reminder that it’s time to remove the patch now. ®