Pierluigi Paganini March 11, 2024

Threat actors are hacking WordPress sites by exploiting a vulnerability, tracked as CVE-2023-6000, in old versions of the Popup Builder plugin.

In January, Sucuri researchers reported that Balada Injector malware infected over 7100 WordPress sites using a vulnerable version of the Popup Builder WordPress plugin. Sucurity reported that on December 13th, the Balada Injector campaign started infecting websites using older versions of the Popup Builder (CVE-2023-6000, CVSS score 8.8). The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

In the past three weeks, the researchers observed a spike in attacks from a new malware campaign e this same exploiting the same flaw in Popup Builder. According to PublicWWW, threat actors already compromised over 3,300 websites. Sucuri’s SiteCheck remote malware scanner has detected Balada Injector malware on over 1,170 sites.

These attacks originated from two domains registered on February 12th, 2024:

• ttincoming.traveltraffic[.]cc
• host.cloudsonicwave[.]com

The threat actors exploit the bug in the Popup Builder WordPress plugin to inject malicious code in the Custom JS or CSS section of the WordPress admin interface, which is internally stored in the wp_postmeta database table.

“These injections serve as handlers for various Popup Builder events such as sgpb-ShouldOpen, sgpb-ShouldClose, sgpb-WillOpen, sgpbDidOpen, sgpbWillClose, sgpb-DidClose. The events fire at different stages of the legitimate site’s popup display process.” reads the report.

“In some variations, the “hxxp://ttincoming.traveltraffic[.]cc/?traffic” URL is being injected as the redirect-url parameter for a “contact-form-7” popup.”

Admins of websites using the Popup Builder plugin are urged to upgrade to the latest version immediately.

Admins of already infected WordPress websites must delete malicious injection from the “Custom JS or CSS” section of the Popup Builder in the WordPress admin interface. Then they have to scan their website at the client and server level to find any hidden website backdoors and remove it.

“However, this is only a short-term fix. The malware is reinfecting compromised environments quite quickly.” concludes the report. “To prevent reinfection, you will also want to scan your website at the client and server level to find any hidden website backdoors. Remove any malicious code or unfamiliar site admins from your environment. Following the cleanup, immediately update the Popup Builder plugin to the latest version to secure your site from this malware. You can check out our Hacked WordPress guide for detailed step-by-step instructions.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)