Popup Builder Plugin Flaw Exploited To Infect WordPress Sites

Heads up, WordPress admins! It’s time to update your WordPress websites with the latest Popup Builder plugin release. Researchers have discovered criminal hackers exploiting the Popup Builder plugin flaw to infect the target sites with malicious scripts.

Popup Builder WordPress Plugin Flaw Could Allow Malware Injection

According to a recent post from the WordPress security firm Sucuri, their researchers have caught a new malicious campaign active in the wild. This time, the attackers exploit a known vulnerability in the WordPress plugin Popup Builder to attack thousands of websites.

Specifically, the new malware campaign exploits CVE-2023-6000 (CVSS 8.8), a stored XSS vulnerability in the plugin. An unauthenticated attacker could exploit the flaw to gain administrative privileges on the target website. Once done, the attacker could perform various malicious actions on the site as allowed to the victim logged-in admin account, including creating new admin users, installing arbitrary plugins, and more.

This vulnerability first caught the attention of WPScan security researchers in late 2023. According to their advisory, the plugin developers, following the bug report, patched the issue with Popup Builder version 4.2.3.

However, while the plugin developers strived to protect users from potential threats, WordPress admins seemingly failed (once again) to adequately secure their sites by promptly updating the plugin.

As Sucuri described, the attackers have been actively exploiting this flaw as part of the Balada Injector campaign since January. Citing PublicWWW, the researcher highlighted roughly 3,300 websites that have already fallen prey to this attack.

To prevent the threat, the researchers advise WordPress admins to patch their sites immediately with the latest Popup Builder plugin release. Besides, for sites already infected with the malware, Sucuri advises removing the malware from the “Custom JS or CSS” section of the plugin.

However, they deemed it a “short-term fix” as reinfection remains likely in such a scenario. Thus, the researchers also advise a thorough website scan to detect and remove backdoors and rogue admin accounts.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients