Thousands of Sites Infected with Malware Due to a WordPress Plugin Flaw

Thousands of WordPress websites have become infected with malware, exploiting a known vulnerability in an older version of the widely-used Popup Builder plugin. This alarming situation highlights the importance of website administrators to stay vigilant and promptly update their digital defenses.

The Breach Explained

Cybersecurity experts have identified a vulnerability in the Popup Builder plugin versions 4.2.3 and below. Officially cataloged as CVE-2023-6000, the flaw primarily involves a cross-site scripting (XSS) flaw that was first brought to light in November 2023. 

Despite the initial disclosure, a considerable segment of website administrators failed to implement necessary updates, leaving their sites exposed to potential threats. A Balada Injector campaign, detected at the start of the year, has already manipulated this vulnerability, compromising over 6,700 websites. 

The recent surge in attacks, however, has targeted a similar loophole, infecting an additional 3,329 WordPress sites, as per recent findings by Sucuri and corroborated by PublicWWW data.

Understanding the Attack

So, how does the attack work? It involves the injection of malicious code within the Custom JavaScript or Custom CSS sections, which is accessible through the WordPress admin interface. This code then embeds itself within the ‘wp_postmeta’ database table, lying in wait to execute its harmful payload.

A variant of the malicious code (Source: Sucuri)

Upon activation, this injected code interacts with various events associated with the Popup Builder plugin, effectively hijacking the website’s normal operations. The ultimate aim appears to be the redirection of unsuspecting visitors to nefarious websites, including phishing schemes and malware distribution channels.

How to Protect 

Website owners and administrators are strongly advised to adopt a proactive stance in safeguarding their sites. Key recommendations include:

• Immediate Update: Ensure that your Popup Builder plugin is updated to the latest version, currently standing at 4.2.7, which rectifies the CVE-2023-6000 vulnerability along with other security issues.
  
• Domain Blocking:You should block known malicious domains associated with these attacks, specifically “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com”, to prevent potential intrusions.
  
• Vigilant Monitoring: Regularly scan your website for any anomalies or unauthorized modifications, especially within the Popup Builder’s custom sections, to detect and mitigate any possible infiltrations.

Final Word

The recent spate of attacks exploiting a WordPress plugin vulnerability serves as a stark reminder of the constant vigilance required to protect online platforms. By staying informed, promptly updating software, and employing best practices in cybersecurity, website owners can fortify their defenses against these ever-present digital threats.