Open Nav
Sign Up

Widespread Infection of WordPress Sites Via Popup Builder Plugin Vulnerability

Bar Refael

January 16, 2024

A significant number of WordPress sites, estimated at over 7,100, have fallen victim to a malware campaign exploiting a vulnerability in the widely-used Popup Builder plugin. This malware, known as Balada Injector, was first reported by Doctor Web in January 2023 and has since leveraged security weaknesses in WordPress plugins to inject malicious backdoors. These backdoors redirect visitors to fraudulent websites, including tech support scams and fake lottery wins.

Technical Details:

The vulnerability in question, tracked as CVE-2023-6000 with a CVSS score of 8.8, was exposed by WPScan and subsequently patched in Popup Builder version 4.2.3. However, sites using older versions of the plugin remain at risk. The Balada Injector’s method involves inserting a malicious JavaScript hosted on specialcraftbox[.]com to assume control over affected sites.

Impact Assessment:

The scale of this campaign is extensive, with Sucuri reporting that it has been active since 2017, compromising over 1 million sites to date. The GoDaddy-owned security company detected fresh Balada Injector activity on December 13, 2023, with current incidents affecting over 7,100 sites.

Threat Actor:

The actors behind Balada Injector have established a pattern of persistent access by uploading backdoors, adding unauthorized plugins, and creating fake administrative accounts, thus retaining long-term control over the compromised sites.

Indicators of Compromise (IoCs):

  • Presence of rogue plugins such as “wp-felody.php” or “Wp Felody”
  • Modifications to the “wp-blog-header.php” file
  • Malicious JavaScript file requests from specialcraftbox[.]com
  • Unusual administrative activities without authentication

Mitigation Measures:

  • Immediate update of the Popup Builder plugin to version 4.2.3 to mitigate the vulnerability.
  • Comprehensive scans for indicators of compromise (IoCs) on all customer sites.
  • Deployment of advanced monitoring tools to detect and respond to suspicious activities.

Customer Guidance:

  • Review and update all WordPress installations and plugins to their latest versions.
  • Regularly audit user roles and privileges to ensure no unauthorized accounts exist.
  • Implement a robust web application firewall (WAF) to safeguard against future injection attempts.
  • Conduct regular backups and have a disaster recovery plan in place.

Recommendations for Immediate Action:

  • Scan for and remove any instances of the “wp-felody.php” or “Wp Felody” plugins.
  • Check the “wp-blog-header.php” file for unauthorized modifications.
  • Validate the integrity of all JavaScript being loaded on WordPress sites.

The Balada Injector campaign underscores the critical need for constant security awareness and proactive defense strategies. OP Innovate advises all customers to implement the recommended measures promptly to secure their digital assets.

Stay safe and informed,

OP Innovate.

Resources highlights

Critical Cisco ISE Vulnerabilities Lead to Unauthenticated RCE (CVE-2025-20281 & CVE-2025-20282)

On June 25, 2025, Cisco disclosed and patched two critical remote code execution (RCE) vulnerabilities: CVE-2025-20281 and CVE-2025-20282, affecting its widely deployed Identity Services Engine…

Read more >

CVE-2025-20281 & CVE-2025-20282

Critical Vulnerability in MegaRAC BMC Added to CISA’s KEV: CVE-2024-54085

On June 25, 2025, CISA added CVE‑2024‑54085, a critical authentication bypass vulnerability in the MegaRAC SPx Baseboard Management Controller (BMC) firmware, to its Known Exploited…

Read more >

CVE-2024-54085

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls The UK’s National Cyber Security Centre (NCSC) has issued an alert regarding a sophisticated malware campaign dubbed “UMBRELLA…

Read more >

umbrella stand fortinet

CVE-2025-49144: Privilege Escalation in Notepad++ Installer Enables Full SYSTEM Access

A critical local privilege escalation vulnerability in the Notepad++ v8.8.1 installer allows attackers to escalate to NT AUTHORITY\SYSTEM using binary planting techniques. Tracked as CVE-2025-49144,…

Read more >

CVE-2025-49144

Our Red Team’s Favorite Penetration Testing Tools in 2025 (And How We Use Them)

When it comes to red team operations, the tools you choose can make or break the engagement. From initial reconnaissance to post-exploitation, having a streamlined,…

Read more >

pentesting tools - op

New Linux Vulnerabilities (CVE-2025-6018 & CVE-2025-6019) Enable Full Root Access in Seconds

Security researchers have uncovered a critical privilege escalation chain in major Linux distributions that allows any local user with a session (SSH or GUI) to…

Read more >

CVE-2025-6018, CVE-2025-6019
Under Cyber Attack?

Fill out the form and we will contact you immediately.