Hackers are hacking WordPress sites using a vulnerability in outdated versions of the Popup Builder plugin, infecting more than 3300 sites with malicious code.
The vulnerability exploited in the attacks is tracked as CVE-2023-6000 - a cross-site scripting (XSS) vulnerability affecting Popup Builder versions 4.2.3 and older, which was first discovered in November 2023.
The Balada Injector campaign, discovered earlier this year, used this vulnerability to infect over 6700 sites, indicating that many site administrators did not patch quickly enough. Now a new campaign is targeting the same vulnerability in the WordPress plugin. According to PublicWWW, code injections related to this latest campaign can be found on 3329 WordPress sites in the last three weeks.
The attacks infect the Custom JavaScript or Custom CSS sections of the WordPress admin interface, with the malicious code being saved in the 'wp_postmeta' database table.
The main function of the injected code is to act as event handlers for the Popup Builder plugin, such as "sgpb-ShouldOpen," "sgpb-ShouldClose," "sgpb-WillOpen," "sgpbDidOpen," "sgpbWillClose," and "sgpb-DidClose." The malicious code is triggered by certain actions of the plugin, such as opening or closing a popup window.
The specific actions of the code may vary, but the main goal of the injections is to redirect visitors of infected sites to malicious addresses such as phishing pages and sites with malware.
In some infections, analysts observed the code injecting a redirection URL (hxxp://ttincoming.traveltraffic[.]cc/?traffic) as a redirect-url parameter for the "contact-form-7" popup window.
In practice, malicious actors can achieve a range of goals using this method, many of which may potentially be more serious than redirection. If you use the Popup Builder plugin on your site, update it to the latest version, currently 4.2.7, which addresses CVE-2023-6000 and other security issues.
Comments (0)
There are no comments for now