Malware Marketing campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Websites

WordPress Plugin

A brand new malware marketing campaign is leveraging a high-severity safety flaw within the Popup Builder plugin for WordPress to inject malicious JavaScript code.

Based on Sucuri, the marketing campaign has infected more than 3,900 sites over the previous three weeks.

“These assaults are orchestrated from domains lower than a month outdated, with registrations relationship again to February twelfth, 2024,” safety researcher Puja Srivastava said in a report dated March 7.

An infection sequences contain the exploitation of CVE-2023-6000, a safety vulnerability in Popup Builder that might be exploited to create rogue admin customers and set up arbitrary plugins.


The shortcoming was exploited as a part of a Balada Injector marketing campaign earlier this January, compromising at least 7,000 websites.

The newest set of assaults result in the injection of malicious code, which is available in two completely different variants and is designed to redirect website guests to different websites similar to phishing and rip-off pages.

WordPress website homeowners are really useful to maintain their plugins up-to-date in addition to scan their websites for any suspicious code or customers, and carry out acceptable cleanup.

“This new malware marketing campaign serves as a stark reminder of the dangers of not protecting your web site software program patched and up-to-date,” Srivastava stated.

The event comes as WordPress safety agency Wordfence disclosed a high-severity bug in one other plugin often known as Final Member that may be weaponized to inject malicious internet scripts.

The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS rating: 7.2), impacts all variations of the plugin, together with and previous to 2.8.3. It has been patched in model 2.8.4, launched on March 6, 2024.

The flaw stems from inadequate enter sanitization and output escaping, thereby permitting unauthenticated attackers to inject arbitrary internet scripts in pages that might be executed each time a person visits them.

“Mixed with the truth that the vulnerability will be exploited by attackers with no privileges on a susceptible website, this implies that there’s a excessive probability that unauthenticated attackers may achieve administrative person entry on websites operating the susceptible model of the plugin when efficiently exploited,” Wordfence stated.


It is value noting that the plugin maintainers addressed an analogous flaw (CVE-2024-1071, CVSS rating: 9.8) in model 2.8.3 launched on February 19.

It additionally follows the invention of an arbitrary file add vulnerability within the Avada WordPress theme (CVE-2024-1468, CVSS rating: 8.8) and presumably executes malicious code remotely. It has been resolved in model 7.11.5.

“This makes it potential for authenticated attackers, with contributor-level entry and above, to add arbitrary recordsdata on the affected website’s server which can make distant code execution potential,” Wordfence said.

Notify of
Inline Feedbacks
View all comments
Previous Post
South Korean Citizen Detained in Russia on Cyber Espionage Charges

South Korean Citizen Detained in Russia on Cyber Espionage Costs

Next Post
Google's Gemini AI Vulnerable to Content Manipulation

Google’s Gemini AI Susceptible to Content material Manipulation

Related Posts