Saturday, October 12, 2024
HomeCross site ScriptingWordpress Builder Plugin Flaw Exposes 3,300+ Websites To XSS Attack

WordPress Builder Plugin Flaw Exposes 3,300+ Websites To XSS Attack

Published on

Malware protection

A recent surge in attacks from a new malware campaign exploits a known vulnerability in the WordPress plugin Popup Builder, infecting over 3,300 websites with XSS attacks.

A recent Balada Injector campaign discovered in January exploited a cross-site scripting (XSS) vulnerability tracked as CVE-2023-6000 with a CVSS base score of 8.8.

According to Sucuri, they have noticed an increase in attacks over the last three weeks from an ongoing malware campaign that is aiming to take advantage of the same Popup Builder vulnerability in versions 4.2.3 and before.

- Advertisement - SIEM as a Service

Over 1,170 websites have had this infection found by Sucuri’s own SiteCheck remote malware scanning.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox:


Malware Campaign Exploiting Stored XSS In Popup Builder < 4.2.3

The domains used for these attacks were registered on February 12th, 2024, less than a month ago:

  • ttincoming.traveltraffic[.]cc
  • host.cloudsonicwave[.]com

“The attackers exploit a known vulnerability in the Popup Builder WordPress plugin to inject malicious code that can be found in the Custom JS or CSS section of the WordPress admin interface, which is internally stored in the wp_postmeta database table,” Sucuri shared with Cyber Security News.

These injections handle a variety of Popup Builder events, including sgpb-ShouldOpen, sgpb-ShouldClose, sgpb-WillOpen, sgpbDidOpen, sgpbWillClose, sgpb-DidClose.

The events occur at various points during the popup display procedure on the official website.

Malicious code found in the database of infected websites (Source: Sucuri)

Sometimes, the “hxxp://ttincoming.traveltraffic[.]cc/?traffic” URL is being injected as the redirect-url parameter for a “contact-form-7” popup.

Researchers presently detecting this campaign’s injections as malware?pbuilder_injection.1.x.

Detecting this campaign’s injections (Source: Sucuri)

Mitigation

If you’re the owner of an unpatched Popup Builder plugin, update the vulnerable plugin—or use a web application firewall to virtually patch it.

Fortunately, eliminating this harmful injection is not too difficult. It can be removed via the Popup Builder’s “Custom JS or CSS” area within the WordPress admin interface.

“To prevent reinfection, you will also want to scan your website at the client and server level to find any hidden website backdoors”, researchers said.

This recent malware campaign clearly warns about the dangers of not maintaining patched and updated website software.

Website owners are highly advised to maintain all software and component upgrades with the most recent security patches.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...