Security researchers have detected a massive campaign that has scanned nearly 1.6 million WordPress sites for the presence of a vulnerable plugin that allows file uploads without authentication.
The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity bug tracked as CVE-2021-24284.
The vulnerability would allow an unauthenticated attacker to inject malicious Javascript into sites using any version of the plugin and perform actions such as uploading and deleting files, which could lead to a complete site takeover.
Although the size of the campaign is impressive, with 1,599,852 unique sites targeted, only a small portion of them are running the vulnerable plugin.
Researchers at Defiant, maker of the Wordfence security solution for WordPress, observed an average of nearly half a million attack attempts per day against the client sites they protect.
According to Wordfence telemetry data, the attacks began on July 4 and continue to this day. and they are still ongoing with an average of 443,868 daily attempts.
The attacks originate from 10,215 different IP addresses, some of which have generated millions of requests, while others are limited to smaller numbers, according to the researchers.
If you are still using the Kaswara Modern WPBakery Page Builder Addons plugin, you should immediately remove it from your WordPress site.
If you are not using the plugin, it is recommended to block IP addresses of attackers. For more details on the indicators and the most prolific request sources, check out the Wordfence blog.
