Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites
12.3.24 Virus The Hacker News
A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.
According to Sucuri, the campaign has infected more than 3,900 sites over the past three weeks.
"These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher Puja Srivastava said in a report dated March 7.
Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins.
The shortcoming was exploited as part of a Balada Injector campaign earlier this January, compromising no less than 7,000 sites.
The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages.
WordPress site owners are recommended to keep their plugins up-to-date as well as scan their sites for any suspicious code or users, and perform appropriate cleanup.
"This new malware campaign serves as a stark reminder of the risks of not keeping your website software patched and up-to-date," Srivastava said.
The development comes as WordPress security firm Wordfence disclosed a high-severity bug in another plugin known as Ultimate Member that can be weaponized to inject malicious web scripts.
The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS score: 7.2), impacts all versions of the plugin, including and prior to 2.8.3. It has been patched in version 2.8.4, released on March 6, 2024.
The flaw stems from insufficient input sanitization and output escaping, thereby allowing unauthenticated attackers to inject arbitrary web scripts in pages that will be executed every time a user visits them.
"Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited," Wordfence said.
It's worth noting that the plugin maintainers addressed a similar flaw (CVE-2024-1071, CVSS score: 9.8) in version 2.8.3 released on February 19.
It also follows the discovery of an arbitrary file upload vulnerability in the Avada WordPress theme (CVE-2024-1468, CVSS score: 8.8) and possibly executes malicious code remotely. It has been resolved in version 7.11.5.
"This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible," Wordfence said.