Security experts have discovered a large-scale operation that searched over 1.6 million WordPress websites for the presence of a flaky plugin that permits file uploads without authentication.

The Kaswara Modern WPBakery Page Builder, which was abandoned by its creator prior to receiving a patch for a severe severity hole identified as CVE-2021-24284, is the object of the attackers’ attacks.

The flaw would allow an unauthenticated attacker to upload and delete files on websites running any version of the plugin and inject malicious Javascript, which might result in total site takeover.

Despite the campaign’s tremendous scope, just a small percentage of the 1,599,852 unique sites it has targeted are using the vulnerable plugin.

The WordPress security plugin Wordfence was created by Defiant, whose researchers tracked an average of nearly 500,000 daily attempts to attack customer sites.

Indistinct large-scale attacks

According to Wordfence telemetry data, the attacks began on July 4 and are still going strong today and continue to this day, with 443,868 attempts made daily on average.

 Daily attacks captured and blocked by Wordfence
Daily attacks captured and blocked by Wordfence

The researchers claim that 10,215 different IP addresses are the source of the attacks, some of which have created millions of requests while others have only produced a smaller number.

 IP addresses launching the attacks (Wordfence)
IP addresses launching the attacks (Wordfence)

The attackers attempt to upload a malicious ZIP payload that contains a PHP file using the plugin’s ‘uploadFontIcon’ AJAX function by sending a POST request to ‘wp-admin/admin-ajax/php’.

Afterwards, this file pulls the NDSW trojan, which inserts code into the target sites’ legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites.

The attackers employ filenames like “,” “king,” “,” “,” and “***” for their ZIP payloads.

You have been infected if any of these files exist or if any of your JavaScript files contain the string “; if(ndsw==”.

You need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website right away if you’re still using it.

Even if you are not utilizing the plugin, blocking the attackers’ IP addresses is still advised. Visit Wordfence’s blog for additional information on the indicators and the sources of requests that are the most common.

Reference :