Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

A recent malware campaign has exploited a critical security flaw within the Popup Builder plugin for WordPress, injecting malicious JavaScript code. Over the past three weeks, more than 3,900 sites have fallen victim to this campaign, which utilizes domains registered as recently as February 12, 2024. The attack leverages CVE-2023-6000, a vulnerability in Popup Builder allowing the creation of unauthorized admin users and the installation of arbitrary plugins. This campaign follows a previous Balada injector attack in January, impacting at least 7,000 sites. The injected malicious code redirects visitors to phishing and scam pages. WordPress site owners are advised to update their plugins promptly, scan for suspicious code or users, and conduct necessary cleanups.

Security Officer Comments:
In a related development, WordFence has disclosed a high-severity vulnerability CVE-2024-2123 in the Ultimate Member plugin, allowing unauthenticated attackers to inject malicious web scripts. This flaw patched in version 2.8.4 released on March 6, 2024, could potentially grant attackers administrative user access. The plugin had previously addressed a similar vulnerability (CVE-2024-1071) in version 2.8.3, underscoring the importance of regular updates and patches in maintaining security.

Suggested Corrections:
If you’re the owner of an unpatched Popup Builder plugin, you can quickly mitigate risk with a single simple step: update your vulnerable plugin (or virtually patch it with a web application firewall)!

If you find your website compromised, the first step is to clean it thoroughly. The good news is that removing this malicious injection is relatively straightforward – you can delete it from the “Custom JS or CSS” section of the Popup Builder in the WordPress admin interface. However, this is only a short-term fix. The malware is reinfecting compromised environments quite quickly.

To prevent reinfection, you will also want to scan your website at the client and server level to find any hidden website backdoors. Remove any malicious code or unfamiliar site admins from your environment. Following the cleanup, immediately update the Popup Builder plugin to the latest version to secure your site from this malware. You can check out our Hacked WordPress guide for detailed step-by-step instructions.