By A recently identified malware campaign is exploiting a critical security vulnerability found in the Popup Builder plugin for WordPress, leading to the injection of malicious JavaScript code. According to a report by Sucuri, this campaign has successfully compromised over 3,900 websites within the last three weeks.
Security researcher Puja Srivastava revealed that the attacks are coordinated from domains created less than a month ago, with registrations dating back to February 12th, 2024. The infection method involves exploiting CVE-2023-6000, a security flaw in Popup Builder that allows the creation of unauthorized admin users and the installation of arbitrary plugins. This particular weakness was previously exploited in a Balada Injector campaign in January, affecting a minimum of 7,000 sites.
In the current wave of attacks, the malicious code injected comes in two different variants, both intended to redirect site visitors to other destinations, including phishing and scam pages. Website owners using WordPress are strongly advised to keep their plugins up-to-date, conduct regular scans for suspicious code or users, and perform necessary cleanup measures.
Puja Srivastava emphasized, “This new malware campaign serves as a stark reminder of the risks of not keeping your website software patched and up-to-date.”
This development coincides with the disclosure by WordPress security firm Wordfence of a high-severity bug in the Ultimate Member plugin, posing a risk of injecting malicious web scripts. Tracked as CVE-2024-2123 (CVSS score: 7.2), the cross-site scripting (XSS) flaw affects all plugin versions up to 2.8.3 and has been patched in version 2.8.4, released on March 6, 2024. The vulnerability arises from inadequate input sanitization and output escaping, potentially allowing unauthenticated attackers to inject arbitrary web scripts that execute whenever a user visits affected pages.
Wordfence noted that the plugin maintainers had previously addressed a similar flaw (CVE-2024-1071, CVSS score: 9.8) in version 2.8.3 on February 19.
This follows the discovery of an arbitrary file upload vulnerability in the Avada WordPress theme (CVE-2024-1468, CVSS score: 8.8), capable of executing malicious code remotely. The issue has been resolved in version 7.11.5, but it highlights the potential for authenticated attackers with contributor-level access and above to upload arbitrary files on the affected site’s server, enabling remote code execution.
