Hackers are breaching WordPress sites by exploiting a vulnerability in outdated versions of the Popup Builder plugin, infecting over 3,300 websites with malicious code.

The flaw leveraged in the attacks is tracked as CVE-2023-6000, a cross-site scripting (XSS) vulnerability impacting Popup Builder versions 4.2.3 and older, which was initially disclosed in November 2023.

A Balada Injector campaign uncovered at the start of the year exploited the particular vulnerability to infect over 6,700 websites, indicating that many site admins hadn't patched quickly enough.

Sucuri now reports spotting a new campaign with a notable uptick in the past three weeks, targeting the same vulnerability on the WordPress plugin.

According to PublicWWW results, code injections linked to this latest campaign are to be found in 3,329 WordPress sites, with Sucuri's own scanners detecting 1,170 infections.

Injection details

The attacks infect the Custom JavaScript or Custom CSS sections of the WordPress admin interface, while the malicious code is stored within the 'wp_postmeta' database table.

The primary function of the injected code is to act as event handlers for various Popup Builder plugin events, such as 'sgpb-ShouldOpen', 'sgpb-ShouldClose', 'sgpb-WillOpen', 'sgpbDidOpen', 'sgpbWillClose', and 'sgpb-DidClose.'

By doing that, malicious code executes at specific actions of the plugin, like when a popup opens or closes.

Sucuri says the exact actions of the code may vary, but the primary purpose of the injections appears to be redirecting visitors of infected sites to malicious destinations such as phishing pages and malware-dropping sites.

Specifically, in some infections, the analysts observed the code injecting a redirect URL (hxxp://ttincoming.traveltraffic[.]cc/?traffic) as the 'redirect-url' parameter for a "contact-form-7" popup.

The injection above retrieves the malicious code snippet from an external source and injects it into the webpage head for execution by the browser.

Practically, it is possible for the attackers to achieve a range of malicious goals through this method, many potentially being more severe than redirections. 

Defending

The attacks originate from the domains "ttincoming.traveltraffic[.]cc" and "host.cloudsonicwave[.]com," so blocking these two is recommended.

If you're using the Popup Builder plugin on your site, upgrade to the latest version, currently 4.2.7, which addresses CVE-2023-6000 and other security problems.

WordPress stats show that at least 80,000 active sites currently use Popup Builder 4.1 and older, so the attack surface remains significant.

In the case of an infection, removal involves deleting malicious entries from the Popup Builder's custom sections and scanning for hidden backdoors to prevent reinfection.