A new malware marketing campaign is leveraging a superior-severity security flaw in the Popup Builder plugin for WordPress to inject destructive JavaScript code.
According to Sucuri, the campaign has contaminated much more than 3,900 web pages about the previous three weeks.
“These attacks are orchestrated from domains much less than a month previous, with registrations courting back to February 12th, 2024,” security researcher Puja Srivastava said in a report dated March 7.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
An infection sequences require the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to build rogue admin customers and set up arbitrary plugins.
The shortcoming was exploited as aspect of a Balada Injector marketing campaign previously this January, compromising no fewer than 7,000 web sites.
The most up-to-date established of attacks guide to the injection of malicious code, which will come in two different variants and is built to redirect web site people to other internet sites such as phishing and fraud webpages.
WordPress web-site house owners are advisable to retain their plugins up-to-day as properly as scan their sites for any suspicious code or end users, and conduct suitable cleanup.
“This new malware marketing campaign serves as a stark reminder of the risks of not keeping your internet site software package patched and up-to-day,” Srivastava claimed.
The progress will come as WordPress security organization Wordfence disclosed a large-severity bug in one more plugin known as Supreme Member that can be weaponized to inject destructive web scripts.
The cross-website scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS rating: 7.2), impacts all variations of the plugin, such as and prior to 2.8.3. It has been patched in version 2.8.4, released on March 6, 2024.
The flaw stems from insufficient enter sanitization and output escaping, thereby making it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will be executed just about every time a user visits them.
“Blended with the point that the vulnerability can be exploited by attackers with no privileges on a susceptible site, this signifies that there is a superior prospect that unauthenticated attackers could get administrative user entry on web sites operating the susceptible variation of the plugin when efficiently exploited,” Wordfence mentioned.
It truly is worthy of noting that the plugin maintainers tackled a similar flaw (CVE-2024-1071, CVSS score: 9.8) in edition 2.8.3 introduced on February 19.
It also follows the discovery of an arbitrary file add vulnerability in the Avada WordPress topic (CVE-2024-1468, CVSS rating: 8.8) and perhaps executes destructive code remotely. It has been fixed in edition 7.11.5.
“This makes it achievable for authenticated attackers, with contributor-stage obtain and higher than, to upload arbitrary files on the impacted site’s server which could make remote code execution possible,” Wordfence stated.
Uncovered this report fascinating? Abide by us on Twitter and LinkedIn to examine far more distinctive information we write-up.
Some pieces of this report are sourced from:
thehackernews.com