The Wordfence Threat Intelligence team is reporting on a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This is an ongoing campaign targeting an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which though previously disclosed, had not been patched they closed the plugin.
“As the plugin was closed without a patch, all versions of the plugin are impacted by this vulnerability. The vulnerability can be used to upload malicious PHP files to an affected website, leading to code execution and complete site takeover.
“We have blocked an average of 443,868 attack attempts per day against the network of sites that we protect during the course of this campaign. Please be aware that while 1,599,852 unique sites were targeted, a majority of those sites were not running the vulnerable plugin.”
An expert with Horizon3.ai offers perspective.
“Attacks like this target and prey on the laymen who aren’t keeping up with the latest security research, attack paths, and EOL products. As an open-source content management system whose primary market group includes those looking for an easy, code-free approach to building custom websites, it’s easy to forget that you can’t trust everyone on the internet. Vetting the vulnerabilities of certain templates and plug-ins available requires an additional interest in preserving website security and dedication to learning or hiring the right technical resource–something out of reach for most WordPress users. There really is no surprise then that a developer of an add-on for an open-source tool decided it wasn’t worth the trouble of patching, especially when CVE ranked the vulnerability as a 10.”
“The primary consideration in a campaign like this is that it can be easily replicated then altered to avoid detection from tools looking for known signatures, and thus, the best means of preventing the attack is to stop using the plugin entirely and revalidate the primary plug-ins and templates being used, almost like assets to an enterprise infrastructure, quarterly or biannually.”