Today, April 21, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a premium plugin that we estimate has over 10,000 installations. This vulnerability was reported this morning to WPScan by “Robin Goodfellow.” The exploited flaw makes it possible for unauthenticated attackers to upload malicious PHP files to a WordPress site and ultimately achieve remote code execution to take over the site.
Wordfence Premium customers received firewall rules this morning, on April 21, 2021, to protect against active exploitation of these vulnerabilities. Wordfence users still using the free version will receive the same protection on May 21, 2021.
Arbitrary File Upload/Deletion and OtherAffected Plugin:
Kaswara Modern WPBakery Page Builder AddonsPlugin Slug:
<= 3.0.1CVE ID: CVE-2021-24284CVSS Score:
10.0 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HFully Patched Version:
NO AVAILABLE PATCH.
At this time, we are releasing minimal details due to this being an actively exploited vulnerability with no available patch. We may decide to release more details in the future, but in the meantime we recommend you take appropriate measures to secure your site.
Indicators of Compromise
At this time, we have limited indicators of compromise. However, based on the functionality of the vulnerability we recommend checking the /wp-content/uploads/kaswara/ directory and all subdirectories for any PHP files. If you find a PHP file in this directory, you can assume that your site has been compromised and you should trigger the site cleaning process that is outlined here.
The following files being found on infected sites (special thanks to Salvador Aguilar and WPScan for reporting these findings):
We will update this section as we learn more.
April 21, 2021 2:22 PM UTC – New vulnerability entry in WPScan reporting 0-day vulnerability in the Modern WPBakery Page Builder Addons plugin. Wordfence Threat Intelligence is alerted to the new vulnerability report and begins to triage the vulnerability immediately.
April 21, 2021 2:57 PM UTC – We verify the existence of the vulnerability and create a proof of concept.
April 21, 2021 3:00 PM UTC – We create and begin testing a firewall rule to protect against the vulnerability.
April 21, 2021 3:08 PM UTC – We discover additional vulnerable endpoints and tailor the WAF rule to provide protection against these additional vulnerabilities. Testing continues on WAF rule.
April 21, 2021 3:48 PM UTC – The first firewall rule is deployed to premium users.
April 21, 2021 4:14 PM UTC – We create and begin testing a second firewall rule to protect against additional vulnerabilities found in the plugin.
April 21, 2021 4:26 PM UTC – The second firewall rule is deployed to premium users.
May 21, 2021 – Wordfence Free users receive the firewall rules.
In today’s post, we detailed a zero-day vulnerability that is being actively exploited in Kaswara Modern WPBakery Page Builder Addons, a plugin containing numerous vulnerabilities unauthenticated attackers can use to upload malicious files, among many other flaws. This can be used to completely take over a WordPress site. These vulnerabilities currently remain unpatched as of this morning and, therefore, we strongly recommend deactivating and removing the plugin until a patch has been released. Due to the developer’s unresponsiveness, a patch may not be released, in which case we recommend finding a reasonable replacement that is being actively maintained by its developer.
Wordfence Premium customers received firewall rules on April 21, 2021 to protect against the active exploitation of this vulnerability and the additional vulnerabilities we discovered. Wordfence users still using the free version will receive the same protection on May 21, 2021.
Please forward and share this post widely so that those WordPress site owners using this vulnerable plugin can take fast action to protect their sites as this zero-day vulnerability is currently being exploited in the wild.
Special thanks to Ramuel Gall, Wordfence Threat Analyst and QA Engineer, for his research pertaining to the vulnerability and his assistance in getting a firewall rule out quickly to our customers.