PSA: Remove Kaswara Modern WPBakery Page Builder Addons Plugin Immediately
Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible for unauthenticated attackers to upload malicious PHP files to a WordPress site and ultimately achieve remote code execution to take over the site.
In addition to the actively exploited flaw, we discovered several vulnerable endpoints that could allow attackers to do a wide range of things like deleting arbitrary files and injecting malicious Javascript. Due to the fact that this plugin has been closed and the plugin developer has been unresponsive, we urge you to remove this plugin completely from your WordPress site immediately. We have identified several vulnerabilities in this plugin which could allow unauthenticated attackers the ability to take over vulnerable WordPress sites, and numerous other vulnerabilities with lesser impacts.
Wordfence Premium customers received firewall rules this morning, on April 21, 2021, to protect against active exploitation of these vulnerabilities. Wordfence users still using the free version will receive the same protection on May 21, 2021.
Affected Plugin: Kaswara Modern WPBakery Page Builder Addons
Plugin Slug: kaswara
Affected Versions: <= 3.0.1
CVE ID: CVE-2021-24284
CVSS Score: 10.0 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: NO AVAILABLE PATCH.
At this time, we are releasing minimal details due to this being an actively exploited vulnerability with no available patch. We may decide to release more details in the future, but in the meantime we recommend you take appropriate measures to secure your site.
Indicators of Compromise
At this time, we have limited indicators of compromise. However, based on the functionality of the vulnerability we recommend checking the /wp-content/uploads/kaswara/
directory and all subdirectories for any PHP files. If you find a PHP file in this directory, you can assume that your site has been compromised and you should trigger the site cleaning process that is outlined here.
The following files being found on infected sites (special thanks to Salvador Aguilar and WPScan for reporting these findings):
/wp-content/uploads/kaswara/icons/kntl/img.php
/wp-content/uploads/kaswara/fonts_icon/15/icons.php
/wp-content/uploads/kaswara/icons/brt/t.php
/wp-content/uploads/kaswara/fonts_icon/jg4/coder.php
We will update this section as we learn more.
Response timeline
April 21, 2021 2:22 PM UTC – New vulnerability entry in WPScan reporting 0-day vulnerability in the Modern WPBakery Page Builder Addons plugin. Wordfence Threat Intelligence is alerted to the new vulnerability report and begins to triage the vulnerability immediately.
April 21, 2021 2:57 PM UTC – We verify the existence of the vulnerability and create a proof of concept.
April 21, 2021 3:00 PM UTC – We create and begin testing a firewall rule to protect against the vulnerability.
April 21, 2021 3:08 PM UTC – We discover additional vulnerable endpoints and tailor the WAF rule to provide protection against these additional vulnerabilities. Testing continues on WAF rule.
April 21, 2021 3:48 PM UTC – The first firewall rule is deployed to premium users.
April 21, 2021 4:14 PM UTC – We create and begin testing a second firewall rule to protect against additional vulnerabilities found in the plugin.
April 21, 2021 4:26 PM UTC – The second firewall rule is deployed to premium users.
May 21, 2021 – Wordfence Free users receive the firewall rules.
Conclusion
In today’s post, we detailed a zero-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a plugin containing numerous vulnerabilities unauthenticated attackers can use to upload malicious files, among many other flaws. This can be used to completely take over a WordPress site. These vulnerabilities currently remain unpatched as of this morning and, therefore, we strongly recommend deactivating and removing the plugin until a patch has been released. Due to the developer’s unresponsiveness, a patch may not be released, in which case we recommend finding a reasonable replacement that is being actively maintained by its developer.
Wordfence Premium customers received firewall rules on April 21, 2021 to protect against the active exploitation of this vulnerability and the additional vulnerabilities we discovered. Wordfence users still using the free version will receive the same protection on May 21, 2021.
Please forward and share this post widely so that those WordPress site owners using this vulnerable plugin can take fast action to protect their sites as this zero-day vulnerability is currently being exploited in the wild.
Special thanks to Ramuel Gall, Wordfence Threat Analyst and QA Engineer, for his research pertaining to the vulnerability and his assistance in getting a firewall rule out quickly to our customers.
Comments
2:01 pm
I do not see /wp-content/uploads/kaswara /fonts_icon/jg4/coder.php as disclosed on the original disclousure. however I am seeing requests to this one /wp-content/uploads/kaswara/icons/brt/t.php
1:30 am
Daaaaamn not what I wanted to wake up to. Thankfully am unaffected by that add on, but that email was better than a shot of coffee
9:21 am
Seeing two new IoS that are being checked as well:
/wp-content/uploads/kaswara/icons/kntl/img.php
/wp-content/uploads/kaswara/fonts_icon/15/icons.php
1:30 pm
Hi Salvador,
Thank you for reporting your findings! We have updated our post to reflect this information.
2:41 pm
This also seems to be happening for Kaswara Modern VC Addons (not Kaswara Modern WPBakery Addons).
7:19 am
Hi Nicola,
We obtained the current name of the plugin from their Code Canyon page here: https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477
It looks like the plugin was previously named Kaswara Modern VC Addons. Therefore, any variation of this plugin, regardless of the name, is affected. The plugin slug of
kaswara
should be the same despite the differences in the plugin's title.10:03 am
FYI: My Country blocker plugin blocked an attempt to reach this url: /wp-content/plugins/kaswara/assets/js/font-manager.js
I don't have the Kaswara plugin, but thought I would pass on this info, in case it is helpful to others.
2:41 am
If we don't allow php execution in /wp-content/uploads and we chmod 000 /wp-content/uploads/kaswara are the websites safe?
7:15 am
Hi Christos,
Unfortunately, this vulnerability allows attackers to perform what is called directory traversal so they can install the malicious file outside of the intended directory, which means there is a small possibility they could have installed the file outside of the uploads directory rendering the PHP execution protection in the uploads directory ineffective. The good news is that it appears that the attacker have not been installing the files outside of the uploads directory, so if you did detect a malicious file in the /uploads/kaswara directory then more than likely your website is safe because the PHP execution protection should prevent the file from executing and prevent any further harm. If you found a malicious file in the uploads directory, please remove it immediately then conduct a full scan with Wordfence.
2:04 am
Good morning, i'm considering buying your premium plugin because my site has been hacked and it's completly done with Kaswara plugin. I can't delete it because otherwise all the site would result like this: https://i.imgur.com/Cx4JfV9.png (not identifying all kaswara codes).
My question is: If i buy your premium plugin, can i use the current version of Kaswara plugin ( 2.1 ) without being hacked?
7:29 am
Hi there,
I am sorry to hear that! If you use Wordfence premium, then yes your site will be protected against any attempts to exploit this vulnerability as premium customers received the firewall rules immediately. On May 21st, free users will receive the same protection, so if you prefer not to upgrade to Wordfence premium, then I would recommend uninstalling the plugin until May 21st, if possible.
8:40 am
Two of our site have been attaqued by this vulnerability but the think is that Kaswara is actively used in our website. So we don't know what to do at the moment.
The symptoms now it that the website redirect to malicious pages.
7:25 am
Hi Nelson,
The most recommended action would be to uninstall the plugin, however, I see that you are actively using the plugin. Please follow this guide to clean your site: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/. If you have Wordfence premium installed, then that will provide protection against any attempts to reinfect the site. Alternatively, we offer a site cleaning service where our team will conduct the cleaning for you and you will receive a free year of Wordfence premium for enhanced protection on your site.