Hackers Exploit Vulnerability in Popup Builder Plugin, Infecting 3,300 WordPress Sites with Malware

Cyber Attack

Cybercriminals have been targeting WordPress websites through a vulnerability found in outdated versions of the Popup Builder plugin, resulting in the infection of more than 3,300 websites with malicious code. The vulnerability, identified as CVE-2023-6000, is a cross-site scripting (XSS) vulnerability affecting Popup Builder versions 4.2.3 and earlier, which was first disclosed in November 2023.

Earlier this year, a campaign known as Balada Injector capitalized on this vulnerability to compromise over 6,700 websites, indicating a delay in patching among site administrators. Recently, Sucuri has observed a surge in a new campaign over the past three weeks, targeting the same vulnerability within the WordPress plugin.

In these attacks, hackers inject malicious code into the Custom JavaScript or Custom CSS sections of the WordPress admin interface, with the code being stored within the 'wp_postmeta' database table. The injected code functions as event handlers for various Popup Builder plugin events, allowing it to execute specific actions when a popup opens or closes.

The primary goal of these injections is to redirect visitors of infected sites to malicious destinations, including phishing pages and sites distributing malware. For instance, analysts have observed instances where the injected code redirects users to a phishing page using the "contact-form-7" popup.

The attacks originate from domains such as "ttincoming.traveltraffic[.]cc" and "host.cloudsonicwave[.]com," making it advisable to block access to these domains. Website administrators are urged to update to the latest version of the Popup Builder plugin (currently 4.2.7), which addresses CVE-2023-6000 and other security issues.

Despite the availability of patches, a significant number of WordPress sites (at least 80,000 active sites) are still using older versions of Popup Builder, leaving them vulnerable to exploitation. In the event of an infection, removal involves deleting malicious entries from the Popup Builder's custom sections and conducting thorough scans to identify and eliminate hidden backdoors to prevent reinfection.