A recent surge in attacks from a new malware campaign exploits a known vulnerability in the WordPress plugin Popup Builder, infecting over 3,300 websites with XSS attacks.
A recent Balada Injector campaign discovered in January exploited a cross-site scripting (XSS) vulnerability tracked as CVE-2023-6000 with a CVSS base score of 8.8.
According to Sucuri, they have noticed an increase in attacks over the last three weeks from an ongoing malware campaign that is aiming to take advantage of the same Popup Builder vulnerability in versions 4.2.3 and before.
Over 1,170 websites have had this infection found by Sucuri’s own SiteCheck remote malware scanning.
Malware analysis can be fast and simple. Just let us show you the way to:
The domains used for these attacks were registered on February 12th, 2024, less than a month ago:
“The attackers exploit a known vulnerability in the Popup Builder WordPress plugin to inject malicious code that can be found in the Custom JS or CSS section of the WordPress admin interface, which is internally stored in the wp_postmeta database table,” Sucuri shared with Cyber Security News.
These injections handle a variety of Popup Builder events, including sgpb-ShouldOpen, sgpb-ShouldClose, sgpb-WillOpen, sgpbDidOpen, sgpbWillClose, sgpb-DidClose.
The events occur at various points during the popup display procedure on the official website.
Sometimes, the “hxxp://ttincoming.traveltraffic[.]cc/?traffic” URL is being injected as the redirect-url parameter for a “contact-form-7” popup.
Researchers presently detecting this campaign’s injections as malware?pbuilder_injection.1.x.
If you’re the owner of an unpatched Popup Builder plugin, update the vulnerable plugin—or use a web application firewall to virtually patch it.
Fortunately, eliminating this harmful injection is not too difficult. It can be removed via the Popup Builder’s “Custom JS or CSS” area within the WordPress admin interface.
“To prevent reinfection, you will also want to scan your website at the client and server level to find any hidden website backdoors”, researchers said.
This recent malware campaign clearly warns about the dangers of not maintaining patched and updated website software.
Website owners are highly advised to maintain all software and component upgrades with the most recent security patches.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Cisco Systems has issued a critical security advisory for a newly disclosed command injection vulnerability…
A newly discovered Wi-Fi jamming technique enables attackers to selectively disconnect individual devices from networks…
GitLab has urgently released security updates to address multiple high-severity vulnerabilities in its platform that…
A high-severity security vulnerability (CVE-2025-0514) in LibreOffice, the widely used open-source office suite, has been…
Cisco Systems has disclosed a high-severity vulnerability (CVE-2025-20111) in its Nexus 3000 and 9000 Series…
A sophisticated cyber campaign orchestrated by the Chinese Advanced Persistent Threat (APT) group, Silver Fox,…