A security flaw in the Popup Builder plugin for WordPress has been exploited by hackers to inject malware into more than 3,300 websites. The vulnerability, identified as CVE-2023-6000, affects versions 4.2.3 and older of the plugin. Sucuri has reported a recent surge in attacks targeting this vulnerability, leading to the injection of malicious code that redirects visitors to phishing pages and malware-dropping sites.
Details:
- Vulnerability ID: CVE-2023-6000
- Affected Versions: Popup Builder versions 4.2.3 and older
- Impact: The XSS vulnerability allows attackers to inject malicious code into the Custom JavaScript or Custom CSS sections of the WordPress admin interface. This code can then execute during specific actions of the plugin, such as when a popup opens or closes, potentially redirecting visitors to harmful sites.
- Attack Campaigns: Sucuri has observed a new campaign exploiting this vulnerability, with 3,329 WordPress sites found to be infected. The attacks originate from the domains “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com.”
- Mitigation: Website administrators using the Popup Builder plugin should upgrade to the latest version, 4.2.7, which addresses this security issue. Additionally, blocking the attacking domains and removing malicious entries from the affected sections of the plugin are recommended steps to prevent further exploitation.
Recommendations:
- Update the Plugin: Ensure that the Popup Builder plugin is updated to version 4.2.7 or later.
- Block Malicious Domains: Add “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com” to the blocklist to prevent attacks originating from these domains.
- Scan for Infections: Use security tools to scan the website for infections and remove any malicious code or backdoors.
- Regular Security Audits: Perform regular security checks on all WordPress plugins and themes to identify and address vulnerabilities promptly.
