Wordfence researchers discovered a massive campaign in which hackers scanned about 1.6 million WordPress sites.The hackers were looking for a vulnerable Kaswara Modern WPBakery Page Builder plugin that allows to upload files without authentication.
Let me remind you that we also reported that Fake jQuery Migrate plugin infected many WordPress sites, and also that Due to vulnerability in File Manager plugin attacked millions of WordPress sites.
Scans work like this: attackers send a POST request to wp-admin/admin-ajax/php, trying to use the uploadFontIcon plugin’s AJAX function to upload a malicious payload (a ZIP file containing a PHP file).
Defiant analysts report that 1,599,852 unique sites have already been crawled, although only a small fraction of them actually used the vulnerable plugin.
According to Wordfence telemetry, the attacks began on July 4 and continue to this day: on average, attackers make 443,868 scan attempts per day. At the same time, attacks come from 10,215 different IP addresses, with some of them generating millions of requests, while others show much less activity.
Anyone who still uses the Kaswara Modern WPBakery Page Builder plugin is advised to remove it from their site as soon as possible.
User Review( votes)