Researchers at Defiant noted a sudden surge in attacks against Kaswara Modern WPBakery Page Builder – an abandoned WordPress plugin with millions of installs.
Attackers are mass scanning the web for sites with this plugin, so they can exploit a known vulnerability and takeover vulnerable sites. Researchers said that attackers with successful exploits of this plug-in could upload malicious JavaScript files and infect the victim site’s visitors.
An Abandoned WordPress Plugin
Hackers exploiting old software that was dumped by authors is common since they contain vulnerabilities that won’t get any patches. The same thing happens with WordPress sites too, where threat actors target vulnerable plug-ins in WordPress sites to exploit.
One such instance is now happening against the Kaswara Modern WPBakery Page Builder – a fairly popular WP plugin that was abandoned by its author and contains a security vulnerability tracked as CVE-2021-24284.
When exploited, this can let unauthenticated users access the site, who can then upload any malicious files and perform admin-level commands like posting or deleting stuff. Researchers at Defiant noted that 1,599,852 unique sites are being targeted by hackers this week!
Although, a small portion of them are running this faulty plugin. Yet, they’re surprised to see the width of the campaign, where attackers are mass scanning the web to find vulnerable sites. Even now, an average of half a million attack attempts are happening every day, say the researchers.
WordPress site admins using the Kaswara Modern WPBakery Page Builder plugin are advised to remove it completely, as the author hasn’t released any patches for it to close the above-noted vulnerability.
Also, the other site admins are advised to check their sites with suspicious zip files (‘inject.zip’, ‘king_zip.zip’, ‘null.zip’, ‘plugin.zip’, and ‘***_young.zip’) to spot infections and remove them if available.
