Massive cyberattack campaign targets 1.6 million WordPress sites for vulnerable plugins


WordPress is one of the most popular and therefore most commonly used content management systems (CMS) on the web. However, it has a particular problem with authors of add-ons, extensions and plugins who abandon their projects and subsequently leave gaping holes in the site’s security. A case in point was highlighted by the Wordfence blog this week, which discusses a serious vulnerability that users of Kaswara Modern WPBakery Page Builder Addons have now fallen prey to.

The Kaswara addon was abandoned by its author before an arbitrary file upload vulnerability, identified as CVE-2021-24284, surfaced and was therefore never fixed. WordPress users who are not vigilant, or who do not pay anyone or any service to be vigilant for them, can easily fall behind on core and extension updates. Additionally, some plugins become obsolete or may be replaced with new built-in features or much better solutions as time and technology progress. Kaswara Modern WPBakery Page Builder Addons has a vulnerability that allows something very bad – it can be used as a “route” to upload malicious PHP files to an affected website, leading to code execution and takeover full site”. Of course, this could just be the start of a very slippery downward slope for your website’s content, ranking, and reputation.

It is recommended that all users of Kaswara Modern WPBakery Page Builder Addons disable them and then purge them as soon as possible. A modern and regularly updated alternative addon with similar functionality can be sought if needed. Even if you have this addon and it is not activated on your site, it still needs to be removed.

While sites like HotMaterial are now aware of this mainstream addon vulnerability, it has been well known to threat actors for 10 or 11 days. Wordfence notes that it has blocked nearly half a million attempted attacks per day since early July, attacks that sites not protected with this addon would fall victim to. The creators of Wordfence claim that around 1.6 million sites under its protection have been repeatedly targeted by attackers looking for the vulnerability.

Attack volume chart for early July (Source: Wordfence blog)

Of course, Wordfence promotes its plugin in the blog post regarding Kaswara Modern WPBakery Page Builder Addons and CVE-2021-24284. However, there is every reason to do so, given that users of the Wordfence plugin for WordPress, even the free tier, have had protection against the CVE-2021-24284 vulnerability since mid-May.

You can read more about Kaswara Modern WPBakery Page Builder, CVE-2021-24284 and Wordfence add-ons via the source blog. Additionally, the blog lists the top 10 IP addresses from which exploits for CVE-2021-24284 are attempted, which is useful if you want to blacklist them from accessing your WordPress site.


Comments are closed.