Hackers are using a WordPress plugin flaw to infect 3,300 websites with malware

50K WordPress sites exposed to RCE attacks by critical bug

Hackers hack WordPress websites using vulnerabilities in outdated versions of the Popup Builder plugin, infecting more than 3,300 websites with malicious code.

The flaw used in the attacks is considered CVE-2023-6000, a cross-site scripting (XSS) vulnerability affecting Popup Builder 4.2.3 and earlier, which was originally disclosed in November 2023.

The Balada Injector campaign revealed earlier in the year exploited a specific vulnerability to infect more than 6,700 websites, showing that many website administrators did not patch quickly enough.

Sucuri now reports that it has spotted a new campaign targeting the same vulnerability in the WordPress plugin over the past three weeks.

According to PublicWWW results, code injections associated with this latest campaign can be found on 3,329 WordPress sites, with Sucuri's own scanners detecting 1,170 infections.

Injection details

The attacks infect the Custom JavaScript or Custom CSS sections of the WordPress admin interface, while the malicious code is stored in the “wp_postmeta” database table.

The main function of the injected code is to act as event handlers for various Popup Builder events such as “sgpb-ShouldOpen”, “sgpb-ShouldClose”, “sgpb-WillOpen”, “sgpbDidOpen”, “sgpbWillClose” and “sgpbWillClose”. : sgpb-DidClose.'

This allows malicious code to be triggered by specific plugin actions, such as when a popup is opened or closed.

The exact actions of the code may vary, Sukuri said, but the main purpose of the injections appears to be to redirect visitors to infected sites to malicious destinations, such as phishing pages and sites that release malware.

Specifically, in some infections, analysts observed code that injects a redirect URL (hxxp://ttincoming.traveltraffic(.)cc/?traffic) as the “redirect-url” parameter for the “contact-form-7” popup.

One injection option (juices)

The above injection retrieves a piece of malicious code from an external source and injects it into the header of a web page to be executed by the browser.

In practice, it is possible for attackers to achieve a number of malicious goals with this method, many of which are potentially more severe than redirects.


The attacks originate from the domains “ttincoming.traveltraffic(.)cc” and “host.cloudsonicwave(.)com”, so it is recommended to block these two.

If you use the Popup Builder plugin on your site, update to the latest version, currently 4.2.7, which addresses CVE-2023-6000 and other security issues.

WordPress statistics show that at least 80,000 active sites are currently using Popup Builder 4.1 and older, so the attack surface remains significant.

In the event of an infection, removal includes deleting malicious entries from specific sections of the Popup Builder and scanning for hidden backdoors to prevent re-infection.

READ  WordPress Plugin Flaw Allows Attackers To Hijack 1M Websites

Leave a Reply

Your email address will not be published. Required fields are marked *