A new malware campaign is exploiting a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.
According to Sucuri, the campaign has infected more than 3,900 sites in the last three weeks.
“These attacks are orchestrated from domains that are less than a month old, with records dating back to February 12, 2024,” security researcher Puja Srivastava said in a report dated March 7.
The infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create unauthorized administrator users and install arbitrary plug-ins.
The loophole was exploited as part of a Balada Injector campaign in early January, compromising no fewer than 7,000 sites.
The latest set of attacks leads to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages.
WordPress site owners are advised to keep their plugins updated, scan their sites for any suspicious code or users, and perform appropriate cleanup.
“This new malware campaign serves as a stark reminder of the risks you face if you don’t keep your website software up to date and up to date,” Srivastava said.
The development comes as WordPress security firm Wordfence revealed a high-severity bug in another plugin known as Ultimate Member that can be weaponized to inject malicious web scripts.
The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS score: 7.2), impacts all versions of the plugin, including and prior to 2.8.3. Version 2.8.4, released on March 6, 2024, has been patched.
The flaw results from insufficient input sanitization and output escaping, thus allowing unauthenticated attackers to inject arbitrary web script into pages that will be executed every time a user visits them.
“Combined with the fact that the vulnerability can be exploited by unprivileged attackers on a vulnerable site, this means that there is a high probability that unauthenticated attackers could gain administrative access on sites running the vulnerable version of the plugin when exploited successfully,” Wordfence said.
It’s worth noting that the plugin maintainers fixed a similar flaw (CVE-2024-1071, CVSS score: 9.8) in version 2.8.3 released on February 19.
It also results in the discovery of an arbitrary file upload vulnerability in the Avada WordPress theme (CVE-2024-1468, CVSS score: 8.8) and possibly executes malicious code remotely. It has been fixed in version 7.11.5.
“This allows authenticated attackers, with access at contributor level and above, to upload arbitrary files to the affected site’s server that could enable remote code execution,” Wordfence said.