A critical vulnerability reported in 2021 in the Kaswara plugin of WordPress visual builder WPBaker is being actively exploited in a recent wave of attacks.
WPBakery Pay Builder is a visual builder for the WordPress CMS that allows you to create websites without code knowledge. This layout has different plugins, each designed to add different functionality. One of these plugins is Kaswara, which was abandoned by its developer before a patch was released to fix a critical vulnerability that was reported in April 2021 and logged as CVE-2021-24284. Already in 2021, attacks were recorded trying to take advantage of the flaw to compromise sites created with this CMS, but recently significant malicious activity was recorded looking for websites vulnerable to this flaw.
This vulnerability in the plugin allows an attacker to upload files to WordPress sites arbitrarily and without authentication, including malicious PHP files that can lead to remote code execution and full control of the site, or injection of malicious JavaScript code.
According to the company Wordfence, developers of a security plugin for WordPress, as of July 4, 2022 they began to detect significant activity from actors trying to exploit this flaw. Specifically, an average of more than 440,000 daily attack attempts were recorded, from more than 10,000 different IP addresses, targeting more than one and a half million sites, which includes attacks on sites that do not have this plugin installed. Likewise, it is estimated that there are between 4,000 and 8,000 WordPress sites that still have this plugin installed and are still exposed, so it is recommended to uninstall the plugin as soon as possible and look for an alternative, because a patch that will most likely never be released. fix the vulnerability.
It is worth remembering that attackers often take advantage of vulnerabilities in plugins for WordPress and other content managers to compromise sites and use them to perform other malicious actions, from injecting a backdoor or other malware, to distribute phishing, to create pages of spam or redirect visitors to malicious sites. That’s why it’s important to keep each of these add-ons that we use to add features to this popular content manager updated to the latest version.
Recommended reading: 9 Ways Attackers Use Compromised Websites