Researchers have spotted scans against 1.6 million WordPress sites looking for vulnerable Kaswara Modern WPBakery Page Builder Addons plugin.
According to the Wordfence Threat Intelligence team, attackers have been targeting an arbitrary file upload vulnerability (CVE-2021-24284) via the ‘uploadFontIcon’ AJAX action in the now closed plugin.
“As the plugin was closed without a patch, all versions of the plugin are impacted by this vulnerability. The vulnerability can be used to upload malicious PHP files to an affected website, leading to code execution and complete site takeover. Once they’ve established a foothold, attackers can also inject malicious JavaScript into files on the site, among other malicious actions,” Wordfence explained in the blog post.
NIST rates this vulnerability Critical severity (CVSS score of 9.8).
Moreover, Wordfence said they have blocked on average 443,868 attack attempts per day against Wordfence-protected sites during the recent campaign.
Although nearly 1.6 million sites have been under attack, Wordfence confirmed the “majority of those sites were not running the vulnerable plugin.”
As Wordfence recommended back in an April post, users should disable and remove this Kaswara Modern WPBakery Page Builder Addons plugin as soon as possible since a patch for this critical vulnerability is highly unlikely.