Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.

According to Sucuri, the campaign has infected more than 3,900 sites over the past three weeks.

“These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024,” security researcher Puja Srivastava said in a report dated March 7.

The shortcoming was exploited as part of a Balada Injector campaign earlier this January, compromising no less than 7,000 sites.

The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages.

WordPress site owners are recommended to keep their plugins up-to-date as well as scan their sites for any suspicious code or users, and perform appropriate cleanup.

The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS score: 7.2), impacts all versions of the plugin, including and prior to 2.8.3. It has been patched in version 2.8.4, released on March 6, 2024.

The flaw stems from insufficient input sanitization and output escaping, thereby allowing unauthenticated attackers to inject arbitrary web scripts in pages that will be executed every time a user visits them.

It’s worth noting that the plugin maintainers addressed a similar flaw (CVE-2024-1071, CVSS score: 9.8) in version 2.8.3 released on February 19.

It also follows the discovery of an arbitrary file upload vulnerability in the Avada WordPress theme (CVE-2024-1468, CVSS score: 8.8) and possibly execute malicious code remotely. It has been resolved in version 7.11.5.

“This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible,” Wordfence said.