A brand new malware marketing campaign is leveraging a high-severity safety flaw within the Popup Builder plugin for WordPress to inject malicious JavaScript code.
In accordance with Sucuri, the marketing campaign has contaminated greater than 3,900 websites over the previous three weeks.
“These assaults are orchestrated from domains lower than a month previous, with registrations relationship again to February twelfth, 2024,” safety researcher Puja Srivastava stated in a report dated March 7.
An infection sequences contain the exploitation of CVE-2023-6000, a safety vulnerability in Popup Builder that could possibly be exploited to create rogue admin customers and set up arbitrary plugins.
The shortcoming was exploited as a part of a Balada Injector marketing campaign earlier this January, compromising at least 7,000 websites.
The newest set of assaults result in the injection of malicious code, which is available in two completely different variants and is designed to redirect web site guests to different websites equivalent to phishing and rip-off pages.
WordPress web site homeowners are really useful to maintain their plugins up-to-date in addition to scan their websites for any suspicious code or customers, and carry out applicable cleanup.
“This new malware marketing campaign serves as a stark reminder of the dangers of not protecting your web site software program patched and up-to-date,” Srivastava stated.
The event comes as WordPress safety agency Wordfence disclosed a high-severity bug in one other plugin referred to as Final Member that may be weaponized to inject malicious internet scripts.
The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS rating: 7.2), impacts all variations of the plugin, together with and previous to 2.8.3. It has been patched in model 2.8.4, launched on March 6, 2024.
The flaw stems from inadequate enter sanitization and output escaping, thereby permitting unauthenticated attackers to inject arbitrary internet scripts in pages that shall be executed each time a person visits them.
“Mixed with the truth that the vulnerability will be exploited by attackers with no privileges on a susceptible web site, this implies that there’s a excessive probability that unauthenticated attackers may acquire administrative person entry on websites operating the susceptible model of the plugin when efficiently exploited,” Wordfence stated.
It is price noting that the plugin maintainers addressed the same flaw (CVE-2024-1071, CVSS rating: 9.8) in model 2.8.3 launched on February 19.
It additionally follows the invention of an arbitrary file add vulnerability within the Avada WordPress theme (CVE-2024-1468, CVSS rating: 8.8) and presumably executes malicious code remotely. It has been resolved in model 7.11.5.
“This makes it attainable for authenticated attackers, with contributor-level entry and above, to add arbitrary recordsdata on the affected web site’s server which can make distant code execution attainable,” Wordfence stated.
