A new malware crusade exploits a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.
According to Sucuri, it has affected more than 3,900 sites in the last three weeks.
“These attacks are organized from domain names that are less than a month old, with records dating back to February 12, 2024,” security researcher Puja Srivastava said in a report dated March 7.
Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins.
This flaw was exploited as part of a Ballad Injector campaign in early January, compromising no fewer than 7,000 sites.
The most recent series of attacks leads to the injection of malicious code, which comes in two other variants and is designed to redirect visitors to other sites, such as phishing pages and scams.
WordPress site owners should keep their plugins up to date, scan their sites for suspicious code or users, and perform proper cleanup.
“This new crusade against malware is a stark reminder of the dangers of not keeping software up-to-date and patched,” Srivastava said.
This progression comes as WordPress security company Wordfence has revealed a high-severity bug in another plugin known as Ultimate Member, which can be used to inject malicious internet scripts.
The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS score: 7. 2), affects all editions of the add-on, adding to and before 2. 8. 3. It’s consistent in Issue 2. 8. 4, released on March 6. , 2024.
The flaw is caused by improper input verification and egress escape, allowing unauthenticated attackers to inject arbitrary internet scripts into pages that will run every time a user visits them.
“Combined with the fact that the vulnerability can be exploited through unprivileged attackers on a vulnerable site, this means that there is a strong possibility that unauthenticated attackers could simply obtain administrative users for sites running the vulnerable edition of the plugin when they are effectively exploited. “Wordfence said.
It should be noted that the plugin’s maintainers consistently encounter a similar flaw (CVE-2024-1071, CVSS score: 9. 8) in version 2. 8. 3 released on February 19.
It also follows the discovery of an arbitrary file upload vulnerability in the Avada WordPress theme (CVE-2024-1468, CVSS score: 8.8) and possibly executes malicious code remotely. It has been resolved in version 7.11.5.
“This allows authenticated attackers, at the contributor level or higher, to upload arbitrary files to the affected site’s server, which can make remote code execution possible,” Wordfence said.
State of Cloud AI 2024
See what more than 150,000 cloud accounts have revealed about AI.
Goodbye Atlassian server. Goodbye. . . Backups?
Protect your knowledge in Atlassian Cloud from failure with on-demand backups and restores.
Act fast with Censys Search for Security Teams
Stay ahead of complex risk actors with best-in-class risk intelligence from Censys Search.
Stay ahead of complex risk actors with best-in-class risk intelligence from Censys Search.
From humans to bots: every identity in your SaaS application can simply be a backdoor for cybercriminals.
Learn how your inventions stand up to emerging security threats with expert advice.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.