Researchers at Defiant have uncovered a massive campaign in which the attackers crawled about 1.6 million WordPress sites. The hackers were looking for a vulnerable Kaswara Modern WPBakery Page Builder plugin that allows you to upload files without authentication.
Scans work like this: attackers send a POST request to wp-admin/admin-ajax/php, trying to use the uploadFontIcon plugin’s AJAX function to upload a malicious payload (a ZIP file containing a PHP file).
Defiant analysts report that 1,599,852 unique sites have already been crawled, although only a small fraction of them actually used the vulnerable plugin.
According to Wordfence telemetry, the attacks began on July 4 and continue to this day: on average, attackers make 443,868 scan attempts per day. At the same time, attacks come from 10,215 different IP addresses, with some of them generating millions of requests, while others show much less activity.
Anyone who still uses the Kaswara Modern WPBakery Page Builder plugin is advised to remove it from their site as soon as possible.