Hackers Scanned 1.6 Million WordPress Sites Looking for a Vulnerable Plugin

hackers scanned WordPress sites
Written by Emma Davis

Wordfence researchers discovered a massive campaign in which hackers scanned about 1.6 million WordPress sites.

The hackers were looking for a vulnerable Kaswara Modern WPBakery Page Builder plugin that allows to upload files without authentication.

The fact is that the Kaswara Modern WPBakery Page Builder plugin was abandoned by the author some time ago, and after that they found a critical vulnerability CVE-2021-24284 in it. The bug allows unauthenticated attackers to inject malicious Javascript code onto websites, because due to the bug, any version of the plugin enables downloading and deleting files, which can ultimately lead to resource seizure.

Let me remind you that we also reported that Fake jQuery Migrate plugin infected many WordPress sites, and also that Due to vulnerability in File Manager plugin attacked millions of WordPress sites.

Scans work like this: attackers send a POST request to wp-admin/admin-ajax/php, trying to use the uploadFontIcon plugin’s AJAX function to upload a malicious payload (a ZIP file containing a PHP file).

The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website. Your logs may show the following query string on these events: /wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1.Wordfence says.

This file, in turn, launches the NDSW Trojan, which injects JavaScript into legitimate files on target sites to redirect visitors to malicious resources, including phishing and malware sites.

Defiant analysts report that 1,599,852 unique sites have already been crawled, although only a small fraction of them actually used the vulnerable plugin.

hackers scanned WordPress sites

According to Wordfence telemetry, the attacks began on July 4 and continue to this day: on average, attackers make 443,868 scan attempts per day. At the same time, attacks come from 10,215 different IP addresses, with some of them generating millions of requests, while others show much less activity.

hackers scanned WordPress sites

It is noted that attackers use the following file names for their ZIP payloads: inject.zip, king_zip.zip, null.zip, plugin.zip and ***_young.zip. These files, as well as the presence of the line “; if(ndsw==” in any of the JavaScript files indicate a compromise.

Anyone who still uses the Kaswara Modern WPBakery Page Builder plugin is advised to remove it from their site as soon as possible.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply