Vulnerability Management, DevSecOps, Threat Management

Beware this WordPress add-on that could lead to site takeover, threat intel team warns

Stickers, buttons and pencils with the WordPress logo are seen in a pile.
Wordfence researchers are warning security teams to remove a WordPress add-on that researchers have observed a sudden increase in attack attempts. ("Wordpress" by Huasonic is licensed under CC BY-NC 2.0.)

The threat intelligence team from Wordfence this week reported that it has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Add-ons.

In a blog post, the Wordfence researchers said the critical vulnerabilityCVE-2021-24284 — was not patched, but was previously disclosed and that plug-in was closed down. The researchers said attackers can use the vulnerability to upload malicious PHP files to an affected website, leading to code execution and complete site takeover. Once they attackers establish a foothold, they can also inject malicious JavaScript into files on a site.

The researchers said even though Wordfence has protected its customers from this attack since May 21, 2021, they still strongly recommend that site managers remove the Kaswara add-ons and find a replacement because it’s unlikely that the plug-in will ever receive a patch.

Arguably the leading company focused on securing WordPress sites, Wordfence was quick to point out that while nearly 1.6 million unique sites were targeted — the majority of those sites are not running the vulnerable plug-in.

WordPress powers as much as one-third of all websites on the internet, including some of the most highly trafficked sites and a large percentage of e-commerce sites, so attackers are always searching for new vulnerabilities to exploit, said Pravin Madhani, co-founder and CEO of K2 Cyber Security. Madhani said each new WordPress vulnerability serves as a sobering reminder that plug-ins can affect a site’s overall security.

“At a minimum, security teams need to ensure that all plug-ins are up to date and you’re only enabling and using the plug-ins that you really need for the site,” Madhani said. “For the most effective protection, implement security-in-depth for a site, which includes edge security, runtime application security, and server security."

John Bambenek, principal threat hunter at Netenrich, said the dangers of open-source software in the software supply chain for WordPress sites is that components are often added into a site that then become dangerous.

“This is particularly acute when plug-ins or packages are abandoned and there will be no updates or patches,” Bambenek said. “The only real options here are for users to rebuild their sites without WPBakery or to have strong web application protection that will stop these attacks despite the vulnerability.:

Mike Parkin, senior technical engineer at Vulcan Cyber, considered the WordPress case a perfect example of an often-overlooked challenge in cybersecurity: when a piece of software goes end-of-life, becomes orphaned, or is otherwise no longer supported, it becomes a security risk.

“Old vulnerabilities may go unpatched, and new ones may be discovered with no way to fix them,” Parkin said. “Though the best option is to remove the obsolete software or device to eliminate the threat, there are often cases where it’s not possible. In cases where the software remains vital and no replacement exists, the organization will have to find mitigations that can reduce the risk as much as possible and prepare for the exploit when it happens.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds