WordPress Popup Plugin Exploited, Infecting 3900 Sites

Over 3,300 WordPress websites have been compromised through vulnerabilities in the Popup Builder plugin. Security researchers at Sucuri have identified the flaw, CVE-2023-6000, in versions 4.2.3 and older of the plugin. It has led to a surge in malicious activities across the internet.

The vulnerability allows for cross-site scripting (XSS) attacks, wherein attackers can inject malicious JavaScript into the websites' popups. This flaw was first disclosed in November 2023 but has since seen an alarming rate of exploitation. Despite warnings and the availability of updates to patch the vulnerability, many site administrators have not taken timely action, leading to the compromise.

The attacks have been sophisticated, with hackers injecting code into the Custom JavaScript or CSS sections of the WordPress admin interface. This code acts as event handlers for various stages of the popup display process, executing malicious scripts that can redirect visitors to phishing sites or other malicious destinations. PublicWWW data revealed that code injections linked to this campaign can be found on 3926 websites at the time of writing.

Attackers have been using domains registered as recently as February 2024, such as “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com,” to orchestrate their campaigns.

Security experts are urging WordPress site administrators to take immediate action to secure their sites. This includes updating the Popup Builder plugin to the latest version, which addresses CVE-2023-6000 and other security issues. Furthermore, site administrators are advised to thoroughly scan their sites for malicious injections and hidden backdoors.

As the attacks originate from identifiable domains, blocking these has been recommended as a temporary measure. However, the broader solution lies in heightened vigilance and prompt application of security updates.