Tagged: inject malicious

Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

Mar 12, 2024NewsroomWordPress / Website Security

WordPress Plugin

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.

According to Sucuri, the campaign has infected more than 3,900 sites over the past three weeks.

“These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024,” security researcher Puja Srivastava said in a report dated March 7.

Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins.


The shortcoming was exploited as part of a Balada Injector campaign earlier this January, compromising no less than 7,000 sites.

The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages.

WordPress site owners are recommended to keep their plugins up-to-date as well as scan their sites for any suspicious code or users, and perform appropriate cleanup.

“This new malware campaign serves as a stark reminder of the risks of not keeping your website software patched and up-to-date,” Srivastava said.

The development comes as WordPress security firm Wordfence disclosed a high-severity bug in another plugin known as Ultimate Member that can be weaponized to inject malicious web scripts.

The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS score: 7.2), impacts all versions of the plugin, including and prior to 2.8.3. It has been patched in version 2.8.4, released on March 6, 2024.

The flaw stems from insufficient input sanitization and output escaping, thereby allowing unauthenticated attackers to inject arbitrary web scripts in pages that will be executed every time a user visits

Read the rest

Vulnerability in Field Builder Plugin Exposes Over 2M WordPress Sites to Attacks

A cross-site scripting (XSS) vulnerability in the Advanced Custom Fields WordPress plugin could be exploited to inject malicious scripts into websites.

Tracked as CVE-2023-30777, the vulnerability impacts both the free and paid versions of the plugin. Advanced Custom Fields has more than 2 million installs via the official WordPress app store.

The plugin provides site administrators with the ability to easily add fields to WordPress edit screens, posts, pages, and other site elements.

Identified by Patchstack security researcher Rafie Muhammad, CVE-2023-30777 is described as a high-severity reflected XSS bug impacting the plugin’s admin page.

“This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site,” Patchstack notes inwordpress-advanced-custom-fields-plugin-6-1-5-reflected-cross-site-scripting-xss-vulnerability”an advisory.

The flaw was identified in a function configured as an extra handler for a WordPress hook that has the same name, and which controls the CSS classes for the main body tag in the admin area.

The root cause of the issue is an improper sanitization of output value of the hook, which could lead to XSS if the function handler fails to properly sanitize the returned classes string.

Advertisement. Scroll to continue reading.

According to Patchstack, the vulnerability can be triggered on default plugin installations, either by unauthenticated attackers or by logged-in users with access to the plugin.

The security defect was identified on May 2 and reported to the vendor the same day. A patch was released two days later.

Advanced Custom Fields version 6.1.6 addresses the vulnerability for both free and paid customers. The fix was also included in version 5.12.6 of the plugin.

Users are advised to update their installations as soon as possible. Unpatched WordPress plugins are often exploited in malicious attacks

Read the rest