A new malware campaign is leveraging a higher-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.
In accordance to Sucuri, the campaign has infected extra than 3,900 internet sites around the previous three months.
“These attacks are orchestrated from domains a lot less than a thirty day period old, with registrations relationship again to February 12th, 2024,” security researcher Puja Srivastava explained in a report dated March 7.
An infection sequences include the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to develop rogue admin users and set up arbitrary plugins.
The shortcoming was exploited as portion of a Balada Injector marketing campaign before this January, compromising no significantly less than 7,000 web sites.
The most up-to-date established of assaults direct to the injection of malicious code, which will come in two diverse variants and is intended to redirect web site visitors to other web pages these as phishing and scam web pages.
WordPress web site house owners are encouraged to hold their plugins up-to-date as nicely as scan their web sites for any suspicious code or users, and accomplish proper cleanup.
“This new malware campaign serves as a stark reminder of the hazards of not keeping your web site software program patched and up-to-day,” Srivastava said.
The advancement arrives as WordPress security firm Wordfence disclosed a large-severity bug in a different plugin regarded as Ultimate Member that can be weaponized to inject malicious web scripts.
The cross-website scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS rating: 7.2), impacts all versions of the plugin, together with and prior to 2.8.3. It has been patched in model 2.8.4, unveiled on March 6, 2024.
The flaw stems from insufficient enter sanitization and output escaping, therefore allowing for unauthenticated attackers to inject arbitrary web scripts in web pages that will be executed each and every time a person visits them.
“Put together with the simple fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable internet site, this usually means that there is a large opportunity that unauthenticated attackers could attain administrative consumer obtain on web sites jogging the vulnerable model of the plugin when properly exploited,” Wordfence reported.
It really is truly worth noting that the plugin maintainers dealt with a similar flaw (CVE-2024-1071, CVSS score: 9.8) in variation 2.8.3 produced on February 19.
It also follows the discovery of an arbitrary file add vulnerability in the Avada WordPress topic (CVE-2024-1468, CVSS rating: 8.8) and quite possibly executes destructive code remotely. It has been resolved in model 7.11.5.
“This makes it doable for authenticated attackers, with contributor-degree entry and over, to add arbitrary information on the influenced site’s server which may make distant code execution doable,” Wordfence reported.
Discovered this report exciting? Stick to us on Twitter and LinkedIn to study extra unique content material we article.
Some parts of this article are sourced from:
thehackernews.com