exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Kaswara Modern WPBakery Page Builder 3.0.1 File Upload

WordPress Kaswara Modern WPBakery Page Builder 3.0.1 File Upload
Posted Jul 14, 2022
Site wordfence.com

WordPress Kaswara Modern WPBakery Page Builder plugin versions 3.0.1 and below suffer from an arbitrary file upload vulnerability.

tags | advisory, arbitrary, file upload
advisories | CVE-2021-24284
SHA-256 | cda2f52f6b43d9a253406aa83b3d7934624dc39c1c6c8f9a0240d741e6ae5fa3

WordPress Kaswara Modern WPBakery Page Builder 3.0.1 File Upload

Change Mirror Download
Description: Arbitrary File Upload/Deletion and Other

Affected Plugin: Kaswara Modern WPBakery Page Builder Addons

Plugin Slug: kaswara

Affected Versions: <= 3.0.1

CVE ID: CVE-2021-24284

CVSS Score: 10.0 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Fully Patched Version: NO AVAILABLE PATCH.

The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website. Your logs may show the following query string on these events:

/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1

We have observed 10,215 attacking IP addresses, with the vast majority of exploit attempts coming from these top ten IPs:

- 217.160.48.108 with 1,591,765 exploit attempts blocked
- 5.9.9.29 with 898,248 exploit attempts blocked
- 2.58.149.35 with 390,815 exploit attempts blocked
- 20.94.76.10 with 276,006 exploit attempts blocked
- 20.206.76.37 with 212,766 exploit attempts blocked
- 20.219.35.125 with 187,470 exploit attempts blocked
- 20.223.152.221 with 102,658 exploit attempts blocked
- 5.39.15.163 with 62,376 exploit attempts blocked
- 194.87.84.195 with 32,890 exploit attempts blocked
- 194.87.84.193 with 31,329 exploit attempts blocked

total exploit attempts (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVBShv6GLdzPVD2tfx2nL3-mW1vWpFD4Ms7XyN7RflyV3kWF_V1-WJV7CgVwTW2HR3PZ2kBMBfW2t6xdk5Ml1S9W5bCZ525-mJqWW40tw862L5dGgW3Y11hW3lq3yLW7y3VmP4FS25GW5F4n688Q7Md-W7h1qvn5WjbzdDFPF5rn3yqW3GxZMh3tKpFmW97_3MJ3QxrZsW4G865d4YQk8NW4L97Qj65XkLvW4lVm1J6zK1PHN4PpGwFcdg7nW5KZv7G1P1n1wW2xsSjJ8lVXZJW6-vVB14dqX31W51ts4M1f3sHMN3WTKGV7R0VmW3BkkKd7HcTHcW3Mgljb1Lw63wW7_lfQF8d1jK9W2STHKk85KKhwW29fhqS6Z-kR3W7CZrhd3CR-ZvW3N9v9p8j3s_9W4dwzb85pW5-f3fY-1 )

Indicators of Compromise

Based on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php will be extracted into the /wp-content/uploads/kaswara/icons/ directory. The malicious file has an MD5 hash of d03c3095e33c7fe75acb8cddca230650. This file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website.

The indicators observed in these attacks also include signs of the NDSW trojan, which injects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites. The presence of this string in your JavaScript files is a strong indication that your site has been infected with NDSW:

;if(ndsw==

Some additional filenames that attackers are attempting to upload includes:

- [xxx]_young.zip where [xxx] varies and typically consists of 3 characters like ‘svv_young’
- inject.zip
- king_zip.zip
- null.zip
- plugin.zip

What Should I Do If I Use This Plugin?

All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability. However, at this time the plugin has been closed, and the developer has not been responsive regarding a patch. The best option is to fully remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close