Robin Goodfellow

**Name of the Vulnerable Software and Affected Versions** Kaswara Modern VC Addons versions through 3.0.1 **Description** The issue is related to unlimited file upload of dangerous types. Exploitation can allow a remote attacker to upload and execute arbitrary files. The vulnerability allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action, with the supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts icon directory with no checks for malicious files such as PHP. It is estimated that over 8,000 sites are still using the plugin, and there has been a significant increase in attacks, with an average of 440,000 attempts per day from 10,215 attacking IP addresses. The attacks involve sending a POST request to /wp-admin/admin-ajax.php using the AJAX uploadFontIcon to upload a file to the vulnerable website. In some cases, a trojan called NDSW was used, which allowed code to be injected into legitimate JavaScript files and could be used to redirect users to malicious domains. **Recommendations** For versions through 3.0.1, uninstall the Kaswara Modern VC Addons plugin immediately to prevent exploitation. As a temporary workaround, consider restricting access to the 'uploadFontIcon' AJAX action until the issue is resolved. Avoid using the `uploadFontIcon` action in the affected API endpoint until the issue is resolved.