The threat intelligence team from Wordfence this week reported that it has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Add-ons.
In a blog post, the Wordfence researchers said the critical vulnerability — CVE-2021-24284 — was not patched, but was previously disclosed and that plug-in was closed down. The researchers said attackers can use the vulnerability to upload malicious PHP files to an affected website, leading to code execution and complete site takeover. Once they attackers establish a foothold, they can also inject malicious JavaScript into files on a site.
The researchers said even though Wordfence has protected its customers from this attack since May 21, 2021, they still strongly recommend that site managers remove the Kaswara add-ons and find a replacement because it’s unlikely that the plug-in will ever receive a patch.
Arguably the leading company focused on securing WordPress sites, Wordfence was quick to point out that while nearly 1.6 million unique sites were targeted — the majority of those sites are not running the vulnerable plug-in.
WordPress powers as much as one-third of all websites on the internet, including some of the most highly trafficked sites and a large percentage of e-commerce sites, so attackers are always searching for new vulnerabilities to exploit, said Pravin Madhani, co-founder and CEO of K2 Cyber Security. Madhani said each new WordPress vulnerability serves as a sobering reminder that plug-ins can affect a site’s overall security.
“At a minimum, security teams need to ensure that all plug-ins are up to date and you’re only enabling and using the plug-ins that you really need for the site,” Madhani said. “For the most effective protection, implement security-in-depth for a site, which includes edge security, runtime application security, and server security."
John Bambenek, principal threat hunter at Netenrich, said the dangers of open-source software in the software supply chain for WordPress sites is that components are often added into a site that then become dangerous.
“This is particularly acute when plug-ins or packages are abandoned and there will be no updates or patches,” Bambenek said. “The only real options here are for users to rebuild their sites without WPBakery or to have strong web application protection that will stop these attacks despite the vulnerability.:
Mike Parkin, senior technical engineer at Vulcan Cyber, considered the WordPress case a perfect example of an often-overlooked challenge in cybersecurity: when a piece of software goes end-of-life, becomes orphaned, or is otherwise no longer supported, it becomes a security risk.
“Old vulnerabilities may go unpatched, and new ones may be discovered with no way to fix them,” Parkin said. “Though the best option is to remove the obsolete software or device to eliminate the threat, there are often cases where it’s not possible. In cases where the software remains vital and no replacement exists, the organization will have to find mitigations that can reduce the risk as much as possible and prepare for the exploit when it happens.”