July 17, 2022

Critical WordPress Plugin Vulnerability Could Lead to a Website Takeover

According to reports, there is a new campaign targeting WordPress websites. Attackers have scanned nearly 1.6 million websites in an effort to take advantage of a previously exposed vulnerability in a WordPress plugin that allows arbitrary file uploads.

The vulnerability affects Kaswara Modern WPBakery Page Builder Addons and enables hackers to upload malicious JavaScript files and possibly take over a website entirely.

The Vulnerability

• CVE-2021-24284., Critical (CVSS 3.1 : 9.8, Critical) – allowing an unauthenticated attacker to upload and delete files on websites running any version of the plugin and inject malicious Javascript, which might result in full site takeover.
  The attackers attempted to upload a malicious ZIP payload containing a PHP file using the plugin’s ‘uploadFontIcon’ AJAX function by sending a POST request to ‘wp-admin/admin-ajax/php’.

Affected Versions

• Kaswara Modern VC Addons WordPress plugin through 3.0.1 (all versions)

Mitigation

Since software developers never patched the bug, and the plugin is now closed –
CYREBRO recommends removing the vulnerable plugin immediately from your WordPress site.

In addition, CYREBRO recommends blocking the following IP addresses used by the attackers:

• 217[.]160[.]48[.]108
• 5[.]9[.]9[.]29
• 2[.]58[.]149[.]35
• 20[.]94[.]76[.]10
• 20[.]206[.]76[.]37
• 20[.]219[.]35[.]125
• 20[.]223[.]152[.]221
• 5[.]39[.]15[.]163
• 194[.]87[.]84[.]195
• 194[.]87[.]84[.]193

References: NIST Advisory, WordFence