Experts Notice Sudden Surge in Exploitation of WordPress Page Builder Plugin Vulnerability

Researchers from Wordfence have sounded the alarm about a “sudden” spike in cyber attacks attempting to exploit an unpatched flaw in a WordPress plugin called Kaswara Modern WPBakery Page Builder Addons.

Tracked as CVE-2021-24284, the issue is rated 10.0 on the CVSS vulnerability scoring system and relates to an unauthenticated arbitrary file upload that could be abused to gain code execution, permitting attackers to seize control of affected WordPress sites.

Although the bug was originally disclosed in April 2021 by the WordPress security company, it continues to remain unresolved to date. To make matters worse, the plugin has been closed and is no longer actively maintained.

Wordfence, which is protecting over 1,000 websites that have the plugin installed, said it has blocked an average of 443,868 attack attempts per day since the start of the month.

The attacks have emanated from 10,215 IP addresses, with a majority of the exploitation attempts narrowed down to 10 IP addresses. These involve uploading a ZIP archive containing a malicious PHP file that allows the attacker to upload rogue files to the infected website.

The goal of the campaign, it appears, is to insert code into otherwise legitimate JavaScript files and redirect site visitors to malicious websites. It’s worth noting that the attacks have been tracked by Avast and Sucuri under the monikers Parrot TDS and NDSW, respectively.

Between 4,000 and 8,000 websites are said to have the plugin installed, making it imperative that users remove it from their WordPress sites to thwart potential attacks and find an appropriate alternative.

Leave a Reply

Your email address will not be published. Required fields are marked *