A brand new malware marketing campaign is leveraging a high-severity security flaw within the Popup Builder plugin for WordPress to inject malicious JavaScript code.
In keeping with Sucuri, the marketing campaign has contaminated greater than 3,900 websites over the previous three weeks.
“These assaults are orchestrated from domains lower than a month previous, with registrations relationship again to February twelfth, 2024,” security researcher Puja Srivastava stated in a report dated March 7.
An infection sequences contain the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that might be exploited to create rogue admin customers and set up arbitrary plugins.
The shortcoming was exploited as a part of a Balada Injector marketing campaign earlier this January, compromising at least 7,000 websites.
The most recent set of assaults result in the injection of malicious code, which is available in two completely different variants and is designed to redirect website guests to different websites similar to phishing and rip-off pages.
WordPress website homeowners are really helpful to maintain their plugins up-to-date in addition to scan their websites for any suspicious code or customers, and carry out applicable cleanup.
“This new malware marketing campaign serves as a stark reminder of the dangers of not preserving your web site software program patched and up-to-date,” Srivastava stated.
The event comes as WordPress security agency Wordfence disclosed a high-severity bug in one other plugin referred to as Final Member that may be weaponized to inject malicious internet scripts.
The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS rating: 7.2), impacts all variations of the plugin, together with and previous to 2.8.3. It has been patched in model 2.8.4, launched on March 6, 2024.
The flaw stems from inadequate enter sanitization and output escaping, thereby permitting unauthenticated attackers to inject arbitrary internet scripts in pages that might be executed each time a person visits them.
“Mixed with the truth that the vulnerability might be exploited by attackers with no privileges on a weak website, this implies that there’s a excessive likelihood that unauthenticated attackers might achieve administrative person entry on websites working the weak model of the plugin when efficiently exploited,” Wordfence stated.
It is price noting that the plugin maintainers addressed an analogous flaw (CVE-2024-1071, CVSS rating: 9.8) in model 2.8.3 launched on February 19.
It additionally follows the invention of an arbitrary file add vulnerability within the Avada WordPress theme (CVE-2024-1468, CVSS rating: 8.8) and presumably executes malicious code remotely. It has been resolved in model 7.11.5.
“This makes it potential for authenticated attackers, with contributor-level entry and above, to add arbitrary information on the affected website’s server which can make distant code execution potential,” Wordfence stated.
