Security experts have discovered a large-scale operation that searched over 1.6 million WordPress websites for the presence of a flaky plugin that permits file uploads without authentication.
The Kaswara Modern WPBakery Page Builder, which was abandoned by its creator prior to receiving a patch for a severe severity hole identified as CVE-2021-24284, is the object of the attackers’ attacks.
Despite the campaign’s tremendous scope, just a small percentage of the 1,599,852 unique sites it has targeted are using the vulnerable plugin.
The WordPress security plugin Wordfence was created by Defiant, whose researchers tracked an average of nearly 500,000 daily attempts to attack customer sites.
Indistinct large-scale attacks
According to Wordfence telemetry data, the attacks began on July 4 and are still going strong today and continue to this day, with 443,868 attempts made daily on average.
The researchers claim that 10,215 different IP addresses are the source of the attacks, some of which have created millions of requests while others have only produced a smaller number.
The attackers attempt to upload a malicious ZIP payload that contains a PHP file using the plugin’s ‘uploadFontIcon’ AJAX function by sending a POST request to ‘wp-admin/admin-ajax/php’.
The attackers employ filenames like “inject.zip,” “king zip.zip,” “null.zip,” “plugin.zip,” and “***_young.zip” for their ZIP payloads.
You need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website right away if you’re still using it.
Even if you are not utilizing the plugin, blocking the attackers’ IP addresses is still advised. Visit Wordfence’s blog for additional information on the indicators and the sources of requests that are the most common.