Open Nav
Sign Up

Widespread Infection of WordPress Sites Via Popup Builder Plugin Vulnerability

Bar Refael

January 16, 2024

A significant number of WordPress sites, estimated at over 7,100, have fallen victim to a malware campaign exploiting a vulnerability in the widely-used Popup Builder plugin. This malware, known as Balada Injector, was first reported by Doctor Web in January 2023 and has since leveraged security weaknesses in WordPress plugins to inject malicious backdoors. These backdoors redirect visitors to fraudulent websites, including tech support scams and fake lottery wins.

Technical Details:

The vulnerability in question, tracked as CVE-2023-6000 with a CVSS score of 8.8, was exposed by WPScan and subsequently patched in Popup Builder version 4.2.3. However, sites using older versions of the plugin remain at risk. The Balada Injector’s method involves inserting a malicious JavaScript hosted on specialcraftbox[.]com to assume control over affected sites.

Impact Assessment:

The scale of this campaign is extensive, with Sucuri reporting that it has been active since 2017, compromising over 1 million sites to date. The GoDaddy-owned security company detected fresh Balada Injector activity on December 13, 2023, with current incidents affecting over 7,100 sites.

Threat Actor:

The actors behind Balada Injector have established a pattern of persistent access by uploading backdoors, adding unauthorized plugins, and creating fake administrative accounts, thus retaining long-term control over the compromised sites.

Indicators of Compromise (IoCs):

  • Presence of rogue plugins such as “wp-felody.php” or “Wp Felody”
  • Modifications to the “wp-blog-header.php” file
  • Malicious JavaScript file requests from specialcraftbox[.]com
  • Unusual administrative activities without authentication

Mitigation Measures:

  • Immediate update of the Popup Builder plugin to version 4.2.3 to mitigate the vulnerability.
  • Comprehensive scans for indicators of compromise (IoCs) on all customer sites.
  • Deployment of advanced monitoring tools to detect and respond to suspicious activities.

Customer Guidance:

  • Review and update all WordPress installations and plugins to their latest versions.
  • Regularly audit user roles and privileges to ensure no unauthorized accounts exist.
  • Implement a robust web application firewall (WAF) to safeguard against future injection attempts.
  • Conduct regular backups and have a disaster recovery plan in place.

Recommendations for Immediate Action:

  • Scan for and remove any instances of the “wp-felody.php” or “Wp Felody” plugins.
  • Check the “wp-blog-header.php” file for unauthorized modifications.
  • Validate the integrity of all JavaScript being loaded on WordPress sites.

The Balada Injector campaign underscores the critical need for constant security awareness and proactive defense strategies. OP Innovate advises all customers to implement the recommended measures promptly to secure their digital assets.

Stay safe and informed,

OP Innovate.

Resources highlights

New Linux Vulnerabilities (CVE-2025-6018 & CVE-2025-6019) Enable Full Root Access in Seconds

Security researchers have uncovered a critical privilege escalation chain in major Linux distributions that allows any local user with a session (SSH or GUI) to…

Read more >

CVE-2025-6018, CVE-2025-6019

Zero to Hero: How Our Red Team Turned a Sticky Note Into Full Cloud Compromise

“The weakest link in your security chain might be sitting right on your desk.” At OP Innovate, our CREST-certified red team is trained to think…

Read more >

OP Innovate Red Team

One-Third of All Grafana Instances Vulnerable to XSS (CVE-2025-4123)

Over 46,000 internet-facing Grafana servers (≈36 % of those online) are still running versions susceptible to CVE-2025-4123, a high-severity open-redirect that chains into stored cross-site…

Read more >

CVE-2025-4123

New Microsoft Outlook Vulnerability Enables Local Code Execution (CVE-2025-47176)

Published: June 11, 2025 Threat Level: High Affected Product: Microsoft Outlook (Microsoft 365 Apps for Enterprise, Office LTSC 2024) CVSS Score: 7.8 (High) A newly…

Read more >

CVE-2025-47176

How MSSPs Are Turning Penetration Testing Into Recurring Revenue with WASP

When OP Innovate first launched WASP in 2022, we weren’t chasing unicorn status or massive VC rounds. We were focused on fixing a real problem:…

Read more >

CVE-2025-49113: Actively Exploited Critical Vulnerability in Roundcube Webmail

Severity: Critical (CVSS 9.9) Status: Active Exploitation Confirmed On June 1, 2025, Roundcube developers issued critical security updates to patch a newly discovered vulnerability in…

Read more >

CVE-2025-49113.
Under Cyber Attack?

Fill out the form and we will contact you immediately.