A new malware campaign exploits a serious security hole in WordPress’s Popup Builder plugin to insert malicious JavaScript code.

According to Sucuri, the campaign has infected over 3,900 websites in the last three weeks.

“These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024,” security researcher Puja Srivastava said in a March 7 report.

Infection sequences require the exploitation of CVE-2023-6000, a security flaw in Popup Builder that may be used to create rogue admin accounts and install arbitrary plugins.

The flaw was used as part of a Balada Injector attack earlier this January, which compromised no fewer than 7,000 websites.

The most recent series of assaults involves the insertion of malicious code, which comes in two variations and is intended to divert site users to other sites, such as phishing and scam websites.

BianLian threat actors use JetBrains TeamCity flaws in ransomware attacks.

WordPress site owners should maintain their plugins up to date, analyze their sites for suspicious code or users, and do necessary cleaning.

“This new malware campaign serves as a stark reminder of the risks of not keeping your website software patched and up-to-date,” Srivastava said in a statement.

The news comes as WordPress security company Wordfence revealed a critical flaw in another plugin called Ultimate Member that may be used to inject malicious web scripts.

The cross-site scripting (XSS) vulnerability, identified as CVE-2024-2123 (CVSS score: 7.2), affects all plugin versions, including and previous to 2.8.3. Version 2.8.4, which was issued on March 6, 2024, included a patch.

The weakness results from inadequate input sanitization and output escaping, enabling unauthenticated attackers to inject arbitrary web scripts into sites that are run every time a user accesses them.

South Korean Citizen Arrested in Russia on Cyber Espionage Charges.

“Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited,” the security firm said.

It’s worth mentioning that the plugin maintainers corrected a similar problem (CVE-2024-1071, CVSS score: 9.8) in version 2.8.3, which was published on February 19.

It also follows the disclosure of an arbitrary file upload vulnerability in the Avada WordPress theme (CVE-2024-1468, CVSS score: 8.8), which has the potential to execute malicious code remotely. The issue has been rectified in version 7.11.5.

“This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible,” the security firm warned.

source