A high-severity security hole in the Popup Builder plugin for WordPress is being used by a new malware operation to add harmful JavaScript code.
It is said that over the last three weeks, the operation has infected over 3,900 sites.
In a March 7 report, security expert Puja Srivastava said, “These attacks are planned from domains that are less than a month old and have registration dates that go back to February 12th, 2024.”
Popup Builder has a security hole called CVE-2023-6000 that can be used to make fake admin users and install any plugins. Infection sequences use this hole to spread malware.
The flaw was used in a Balada Injector operation in January, which gave hackers access to at least 7,000 sites.
In the most recent attacks, harmful code was added. This code comes in two different types and is meant to send people to other sites, like phishing and scam pages.
It is suggested that WordPress site owners keep their plugins up to date and check their sites for any strange code or users. If they find any, they should remove them and clean up properly.
“This new malware campaign serves as a stark reminder of the risks of not keeping your website software patched and up-to-date,” said Srivastava.
This comes after Wordfence, a WordPress security company, announced a major bug in another plugin called Ultimate Member that can be used to insert harmful web code.
The XSS flaw, which has been assigned the number CVE-2024-2123 and a CVSS score of 7.2, affects all versions of the app, including the ones that came before and after 2.8.3. It was fixed in version 2.8.4, which came out on March 6, 2024.
The bug is caused by not properly sanitizing and escaping input and output. This means that attackers who are not authorized can add any web scripts to pages, which will be run every time a user sees them.
“Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited,” said Wordfence.
It’s important to note that a related bug (CVE-2024-1071, CVSS score: 9.8) was fixed in version 2.8.3, which came out on February 19.
It also comes after a random file upload vulnerability was found in the Avada WordPress theme (CVE-2024-1468, CVSS score: 8.8), which could run malicious code from afar. It’s been fixed in version 7.11.5.
“This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible,” said Wordfence.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.