Hackers exploited WordPress Popup Builder plugin flaw to compromise 3,300 sites

Pierluigi Paganini March 11, 2024

Threat actors are hacking WordPress sites by exploiting a vulnerability, tracked as CVE-2023-6000, in old versions of the Popup Builder plugin.

In January, Sucuri researchers reported that Balada Injector malware infected over 7100 WordPress sites using a vulnerable version of the . Sucurity reported that on December 13th, the  campaign started infecting websites using older versions of the Popup Builder (, CVSS score 8.8). The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

In the past three weeks, the researchers observed a spike in attacks from a new malware campaign e this same exploiting the same flaw in Popup Builder. According to PublicWWW, threat actors already compromised over . Sucuri’s SiteCheck  has detected Balada Injector malware on over 1,170 sites.

These attacks originated from two domains registered on February 12th, 2024:

  • ttincoming.traveltraffic[.]cc
  • host.cloudsonicwave[.]com

The threat actors exploit the bug in the Popup Builder WordPress plugin to inject malicious code in the Custom JS or CSS section of the WordPress admin interface, which is internally stored in the wp_postmeta database table.

“These injections serve as handlers for various Popup Builder events such as sgpb-ShouldOpensgpb-ShouldClosesgpb-WillOpensgpbDidOpensgpbWillClosesgpb-DidClose. The events fire at different stages of the legitimate site’s popup display process.”

“In some variations, the “hxxp://ttincoming.traveltraffic[.]cc/?traffic” URL is being injected as the redirect-url parameter for a “contact-form-7” popup.”

WordPress Popup Builder plugin

Admins of websites using the Popup Builder plugin are urged to upgrade to the latest version immediately.

Admins of already infected WordPress websites must delete malicious injection from the “Custom JS or CSS” section of the Popup Builder in the WordPress admin interface. Then they have to  to find any hidden website backdoors and remove it.

“However, this is only a short-term fix. The malware is reinfecting compromised environments quite quickly.” concludes the report. “To prevent reinfection, you will also want to  to find any hidden website backdoors. Remove any malicious code or unfamiliar site admins from your environment. Following the cleanup, immediately update the Popup Builder plugin to the latest version to secure your site from this malware. You can check out our  for detailed step-by-step instructions.”

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, WordPress)



you might also like

leave a comment