Security
Headlines
HeadlinesLatestCVEs

Headline

WordPress Kaswara Modern WPBakery Page Builder 3.0.1 File Upload

WordPress Kaswara Modern WPBakery Page Builder plugin versions 3.0.1 and below suffer from an arbitrary file upload vulnerability.

Packet Storm
#xss#vulnerability#web#git#java#wordpress#php
Description: Arbitrary File Upload/Deletion and OtherAffected Plugin: Kaswara Modern WPBakery Page Builder AddonsPlugin Slug: kaswaraAffected Versions: <= 3.0.1CVE ID: CVE-2021-24284CVSS Score: 10.0 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HFully Patched Version: NO AVAILABLE PATCH.The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website. Your logs may show the following query string on these events:/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1We have observed 10,215 attacking IP addresses, with the vast majority of exploit attempts coming from these top ten IPs:- 217.160.48.108 with 1,591,765 exploit attempts blocked- 5.9.9.29 with 898,248 exploit attempts blocked- 2.58.149.35 with 390,815 exploit attempts blocked- 20.94.76.10 with 276,006 exploit attempts blocked- 20.206.76.37 with 212,766 exploit attempts blocked- 20.219.35.125 with 187,470 exploit attempts blocked- 20.223.152.221 with 102,658 exploit attempts blocked- 5.39.15.163 with 62,376 exploit attempts blocked- 194.87.84.195 with 32,890 exploit attempts blocked- 194.87.84.193 with 31,329 exploit attempts blockedtotal exploit attempts (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVBShv6GLdzPVD2tfx2nL3-mW1vWpFD4Ms7XyN7RflyV3kWF_V1-WJV7CgVwTW2HR3PZ2kBMBfW2t6xdk5Ml1S9W5bCZ525-mJqWW40tw862L5dGgW3Y11hW3lq3yLW7y3VmP4FS25GW5F4n688Q7Md-W7h1qvn5WjbzdDFPF5rn3yqW3GxZMh3tKpFmW97_3MJ3QxrZsW4G865d4YQk8NW4L97Qj65XkLvW4lVm1J6zK1PHN4PpGwFcdg7nW5KZv7G1P1n1wW2xsSjJ8lVXZJW6-vVB14dqX31W51ts4M1f3sHMN3WTKGV7R0VmW3BkkKd7HcTHcW3Mgljb1Lw63wW7_lfQF8d1jK9W2STHKk85KKhwW29fhqS6Z-kR3W7CZrhd3CR-ZvW3N9v9p8j3s_9W4dwzb85pW5-f3fY-1 )Indicators of CompromiseBased on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php will be extracted into the /wp-content/uploads/kaswara/icons/ directory. The malicious file has an MD5 hash of d03c3095e33c7fe75acb8cddca230650. This file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website.The indicators observed in these attacks also include signs of the NDSW trojan, which injects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites. The presence of  this string in your JavaScript files is a strong indication that your site has been infected with NDSW:;if(ndsw==Some additional filenames that attackers are attempting to upload includes:- [xxx]_young.zip where [xxx] varies and typically consists of 3 characters like ‘svv_young’- inject.zip- king_zip.zip- null.zip- plugin.zipWhat Should I Do If I Use This Plugin?All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability. However, at this time the plugin has been closed, and the developer has not been responsive regarding a patch. The best option is to fully remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

Related news

Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately!

We take a look at a WordPress plugin, abandoned and open to JavaScript related exploitation. Uninstall it now! The post Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately! appeared first on Malwarebytes Labs.

WordPress Page Builder Plug-in Under Attack, Can't Be Patched

An ongoing campaign is actively targeting the vulnerability in the Kaswara Modern WPBakery Page Builder Addon, which is still installed on up to 8,000 sites, security analysts warn.

Experts Notice Sudden Surge in Exploitation of WordPress Page Builder Plugin Vulnerability

Researchers from Wordfence have sounded the alarm about a "sudden" spike in cyber attacks attempting to exploit an unpatched flaw in a WordPress plugin called Kaswara Modern WPBakery Page Builder Addons. Tracked as CVE-2021-24284, the issue is rated 10.0 on the CVSS vulnerability scoring system and relates to an unauthenticated arbitrary file upload that could be abused to gain code execution,

CVE-2021-24284

The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution