Buggy WordPress plugin allows full site takeover • The Register

Miscreants have reportedly scanned nearly 1.6 million websites in attempts to exploit a random file upload vulnerability in a previously disclosed buggy WordPress plugin.

The vulnerability, traced as CVE-2021-24284, targets Kaswara Modern WPBakery Page Builder add-ons and, if exploited, would allow criminals to upload malicious JavaScript files and even completely hijack an organization’s website. to take.

Wordfence revealed the flaw nearly three months ago and this week warned in a new advisory that criminals are increasing the number of attacks.

Software developers never patched the bug and the plugin is now closed meaning all versions are susceptible to attack. The bug hunters estimate that between 4,000 and 8,000 websites still have the vulnerable plugin installed, noting that while 1,599,852 unique sites were targeted, a majority of them were not using the plugin.

However, if you fall into the still-spinning-the-buggy plug-in camp, now is a good time to pull the plug.

Moreover, even if you are not directly affected, one of these vulnerable websites can be compromised and modified to play a role in other attacks, such as phishing or malware hosting. So, in a way, this shows how even small plugins can fuel wider cybercrime on the web.

“We strongly recommend that you completely remove Kaswara Modern WPBakery Page Builder add-ons and find an alternative as soon as possible, as the plugin is unlikely to ever receive a patch for this critical vulnerability,” Wordfence warned. .

The security vendor said most attacks start with a POST request sent to /wp-admin/admin-ajax.php using the plugin’s uploadFontIcon AJAX action, which sends miscreants a malicious file to the victim’s website. can upload. Word fence explained:

Your logs may show the following query string about these events:

The Threat Intel team also noted that most exploit attempts come from these 10 IPs:

  • 217.160.48.108 with 1,591,765 abuse attempts blocked
  • 5.9.9.29 with 898,248 abuse attempts blocked
  • 2,58149.35 with 390,815 abuse attempts blocked
  • 20.94.76.10 with 276,006 abuse attempts blocked
  • 20.206.76.37 with 212,766 abuse attempts blocked
  • 20.219.35.125 with 187.470 abuse attempts blocked
  • 20,223,152,221 with 102,658 abuse attempts blocked
  • 5.39.15.163 with 62.376 abuse attempts blocked
  • 194.87.84.195 with 32,890 abuse attempts blocked
  • 194,87,84,193 with 31,329 abuse attempts blocked

Most attacks also involve attempting to upload a zip file called a57bze8931.zip, which once installed allows the criminal to continue uploading nasty software to the victim’s website.

In addition, some of the attacks also contain signs of the NDSW Trojan, according to Wordfence. This redirects site visitors to malicious websites, which is another good reminder that it’s time to uninstall the patch now. ®