A new malware campaign is exploiting a high-severity security vulnerability in the WordPress Popup Builder plugin to inject malicious JavaScript code.
According to Sucuri, the campaign has infected more than 3,900 websites in the past three weeks.
“These attacks were orchestrated from domains less than a month old, with registration dates dating back to February 12, 2024,” security researcher Puja Srivastava said in a March 7 report.
The infection sequence involves exploiting CVE-2023-6000, a security vulnerability in Popup Builder that can be exploited to create a malicious administrator user and install arbitrary plug-ins.
In early January this year, the Balada Injector attack campaign exploited this flaw, resulting in at least 7,000 sites being compromised.
The latest set of attacks results in the injection of malicious code that comes in two different variants and is designed to redirect website visitors to other sites, such as phishing and scamming pages.
WordPress website owners are advised to keep their plugins up to date and scan their sites for any suspicious code or users and perform appropriate cleanup.
“This new malware campaign is a stark reminder of the risks people face if they don’t keep their website software updated,” Srivastava said.
The development comes as WordPress security company Wordfence revealed a highly critical bug in another plugin called Ultimate Member, which can be used to inject malicious web scripts.
The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS score: 7.2), affects all versions of the plugin, including 2.8.3 and earlier. Patched in version 2.8.4 released on March 6, 2024.
This flaw results from insufficient input sanitization and output escaping, allowing an unauthenticated attacker to inject arbitrary web script into the page, which will be executed on every user visit.
“Coupled with the fact that the vulnerability can be exploited by an attacker without permission on the vulnerable website, this means that an unauthenticated attacker who successfully exploits the vulnerability has a high chance of obtaining a plug-in running a vulnerable version. Administrative user access to the site,” Wordfence said.
It is worth noting that the plugin maintainer addressed a similar flaw (CVE-2024-1071, CVSS score: 9.8) in version 2.8.3 released on February 19.
It also discovered an arbitrary file upload vulnerability (CVE-2024-1468, CVSS score: 8.8) in the Avada WordPress theme, which could allow remote execution of malicious code. Resolved in version 7.11.5.
“This allows an authenticated attacker with contributor level or above access to upload arbitrary files on the affected site’s server, potentially achieving remote code execution,” Wordfence said.
