Description: Arbitrary File Upload/Deletion and Other

Affected Plugin: Kaswara Modern WPBakery Page Builder Addons

Plugin Slug: kaswara

Affected Versions: <= 3.0.1

CVE ID: CVE-2021-24284

CVSS Score: 10.0 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Fully Patched Version: NO AVAILABLE PATCH.

The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website. Your logs may show the following query string on these events:

/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1

We have observed 10,215 attacking IP addresses, with the vast majority of exploit attempts coming from these top ten IPs:

- 217.160.48.108 with 1,591,765 exploit attempts blocked
- 5.9.9.29 with 898,248 exploit attempts blocked
- 2.58.149.35 with 390,815 exploit attempts blocked
- 20.94.76.10 with 276,006 exploit attempts blocked
- 20.206.76.37 with 212,766 exploit attempts blocked
- 20.219.35.125 with 187,470 exploit attempts blocked
- 20.223.152.221 with 102,658 exploit attempts blocked
- 5.39.15.163 with 62,376 exploit attempts blocked
- 194.87.84.195 with 32,890 exploit attempts blocked
- 194.87.84.193 with 31,329 exploit attempts blocked

total exploit attempts (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVBShv6GLdzPVD2tfx2nL3-mW1vWpFD4Ms7XyN7RflyV3kWF_V1-WJV7CgVwTW2HR3PZ2kBMBfW2t6xdk5Ml1S9W5bCZ525-mJqWW40tw862L5dGgW3Y11hW3lq3yLW7y3VmP4FS25GW5F4n688Q7Md-W7h1qvn5WjbzdDFPF5rn3yqW3GxZMh3tKpFmW97_3MJ3QxrZsW4G865d4YQk8NW4L97Qj65XkLvW4lVm1J6zK1PHN4PpGwFcdg7nW5KZv7G1P1n1wW2xsSjJ8lVXZJW6-vVB14dqX31W51ts4M1f3sHMN3WTKGV7R0VmW3BkkKd7HcTHcW3Mgljb1Lw63wW7_lfQF8d1jK9W2STHKk85KKhwW29fhqS6Z-kR3W7CZrhd3CR-ZvW3N9v9p8j3s_9W4dwzb85pW5-f3fY-1 )

Indicators of Compromise

Based on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php will be extracted into the /wp-content/uploads/kaswara/icons/ directory. The malicious file has an MD5 hash of d03c3095e33c7fe75acb8cddca230650. This file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website.

The indicators observed in these attacks also include signs of the NDSW trojan, which injects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites. The presence of  this string in your JavaScript files is a strong indication that your site has been infected with NDSW:

;if(ndsw==

Some additional filenames that attackers are attempting to upload includes:

- [xxx]_young.zip where [xxx] varies and typically consists of 3 characters like ‘svv_young’
- inject.zip
- king_zip.zip
- null.zip
- plugin.zip

What Should I Do If I Use This Plugin?

All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability. However, at this time the plugin has been closed, and the developer has not been responsive regarding a patch. The best option is to fully remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.