Over 7,000 infected pages provide malicious activity against ordinary users.
Thousands of WordPress sites that use a vulnerable version of the Popup Builder plugin have been compromised by a malicious program called Balada Injector.
First documented by Doctor Web experts in January last year, the malicious campaign is a series of attacks that exploit security flaws in WordPress plugins to introduce a backdoor designed to redirect visitors to infected sites to fake technical support pages, fraudulent lottery winnings, and fraud with push notifications.
The latest investigation by Sucuri revealed that Balada Injector activity was detected on more than 7,100 sites as of December 2023. This time, dark hackers use a vulnerability in the WordPress plugin Popup Builder to attack. The vulnerability was identified as CVE-2023-6000 and has a CVSS rating of 8.8 points. It was officially fixed in the plugin version 4.2.3, while the latest version of Popup Builder at the time of publication is 4.2.6.
Mark Monpas, a researcher at WPScan, said: "If this vulnerability is successfully exploited, attackers can perform any actions that the site administrator has access to, including installing arbitrary plugins and creating new users with administrator rights."
The goal of the malicious campaign is to integrate a malicious JavaScript file on the vulnerable site to seize control and install additional payload. The infected sites are then used by attackers to facilitate malicious redirects and phishing attacks, as noted above.
This cyber incident once again reminds WordPress site owners of the importance of regularly updating their plugins to the latest versions. Vulnerabilities in outdated versions of plugins, such as Popup Builder, can lead to infection of the site and its use for criminal purposes. Regular updates are a simple but effective way to protect your site and its visitors from such attacks.
Thousands of WordPress sites that use a vulnerable version of the Popup Builder plugin have been compromised by a malicious program called Balada Injector.
First documented by Doctor Web experts in January last year, the malicious campaign is a series of attacks that exploit security flaws in WordPress plugins to introduce a backdoor designed to redirect visitors to infected sites to fake technical support pages, fraudulent lottery winnings, and fraud with push notifications.
The latest investigation by Sucuri revealed that Balada Injector activity was detected on more than 7,100 sites as of December 2023. This time, dark hackers use a vulnerability in the WordPress plugin Popup Builder to attack. The vulnerability was identified as CVE-2023-6000 and has a CVSS rating of 8.8 points. It was officially fixed in the plugin version 4.2.3, while the latest version of Popup Builder at the time of publication is 4.2.6.
Mark Monpas, a researcher at WPScan, said: "If this vulnerability is successfully exploited, attackers can perform any actions that the site administrator has access to, including installing arbitrary plugins and creating new users with administrator rights."
The goal of the malicious campaign is to integrate a malicious JavaScript file on the vulnerable site to seize control and install additional payload. The infected sites are then used by attackers to facilitate malicious redirects and phishing attacks, as noted above.
This cyber incident once again reminds WordPress site owners of the importance of regularly updating their plugins to the latest versions. Vulnerabilities in outdated versions of plugins, such as Popup Builder, can lead to infection of the site and its use for criminal purposes. Regular updates are a simple but effective way to protect your site and its visitors from such attacks.
