Cyber criminals have recently intensified their attacks on WordPress sites, targeting an outdated version of the Popup Builder plugin to breach security defences. With over 3,300 websites now contaminated with harmful code, these hackers have exploited a known vulnerability tracked as CVE-2023-6000. This particular flaw, a cross-site scripting (XSS) vulnerability, specifically affects Popup Builder versions 4.2.3 and older, with its discovery dating back to November 2023.
At the start of the year, a Balada Injector campaign surfaced, utilising the same vulnerability to infiltrate more than 6,700 websites. This occurrence underscores the delay in patching by numerous site administrators.
Based on findings, code injections associated with the recent campaign have been identified in 3,329 WordPress sites, while 1,170 infections have been reported.
Details of the injection
The attacks target the Custom JavaScript or Custom CSS segments within the WordPress admin interface, with the malicious code being stored in the 'wp_postmeta' database table.
The injected code primarily functions as event handlers for various Popup Builder plugin events, including 'sgpb-ShouldOpen', 'sgpb-ShouldClose', 'sgpb-WillOpen', 'sgpbDidOpen', 'sgpbWillClose', and 'sgpb-DidClose.' This enables the execution of malicious code during specific plugin actions, such as when a popup opens or closes.
While the precise actions of the code may vary, the primary aim of the injections seems to be redirecting visitors of compromised sites to malicious destinations, such as phishing pages and sites distributing malware.
In some instances of infection, analysts have observed the code injecting a redirect URL (hxxp://ttincoming.traveltraffic[.]cc/?traffic) as the 'redirect-url' parameter for a "contact-form-7" popup.
In practical terms, attackers can exploit this method to achieve various malicious objectives, some of which may be more severe than mere redirection.
Defending against attacks
The attacks are originating from the domains "ttincoming.traveltraffic[.]cc" and "host.cloudsonicwave[.]com," hence it's advisable to block access to these domains.
If you're utilising the Popup Builder plugin on your website, it's crucial to upgrade to the latest version, currently 4.2.7, which addresses CVE-2023-6000 and other security vulnerabilities.
WordPress statistics indicate that a significant number of active sites, at least 80,000, are still using Popup Builder versions 4.1 and older, leaving a considerable attack surface vulnerable.
In the event of an infection, the removal process involves eliminating malicious entries from the Popup Builder's custom sections and conducting scans to detect hidden backdoors to prevent reinfection.
