CVE-2021-24284
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary ZIP files containing malicious PHP scripts to WordPress sites using the Kaswara Modern VC Addons plugin. The plugin extracts these files without validation, enabling remote code execution. All WordPress installations with vulnerable plugin versions are affected.
💻 Affected Systems
- Kaswara Modern VC Addons WordPress plugin
📦 What is this software?
Kaswara by Kaswara Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via arbitrary PHP file upload leading to remote code execution, data theft, defacement, or ransomware deployment.
Likely Case
Website defacement, backdoor installation, credential theft, and lateral movement within the hosting environment.
If Mitigated
Limited impact if file uploads are blocked at web application firewall level or server permissions prevent PHP execution in uploads directory.
🎯 Exploit Status
Exploit code is publicly available and requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.2 or later
Vendor Advisory: https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Kaswara Modern VC Addons. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Block vulnerable AJAX endpoint
linuxAdd .htaccess rule to block access to the vulnerable uploadFontIcon AJAX action
RewriteEngine On
RewriteCond %{QUERY_STRING} action=uploadFontIcon
RewriteRule ^ - [F]
Restrict PHP execution in uploads directory
allPrevent PHP files from executing in the kaswara fonts directory
<Files *.php>
deny from all
</Files>
🧯 If You Can't Patch
- Immediately deactivate and remove the Kaswara Modern VC Addons plugin
- Implement web application firewall rules to block file uploads to /wp-admin/admin-ajax.php with uploadFontIcon parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Kaswara Modern VC Addons version 3.0.1 or earlierCheck Version:
wp plugin list --name=kaswara --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is 3.0.2 or later, or confirm plugin is completely removed📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=uploadFontIcon' parameter
- File creation in wp-content/uploads/kaswara/fonts_icon/ with .php extension
Network Indicators:
- Unusual file uploads to WordPress AJAX endpoints from unauthenticated sources
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=uploadFontIcon*"🔗 References
- http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html
- https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477
- https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
- http://packetstormsecurity.com/files/167743/WordPress-Kaswara-Modern-WPBakery-Page-Builder-3.0.1-File-Upload.html
- https://codecanyon.net/item/kaswara-modern-visual-composer-addons/19341477
- https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
