More than 3,000 WordPress-powered websites were compromised as a result of not patching a known vulnerability fast enough, a report from cybersecurity researchers Sucuri and PublicWWW has claimed.
Sucuri says that over the past couple of weeks, unnamed threat actors were leveraging a vulnerability tracked as CVE-2023-6000 to redirect people to malicious websites. This vulnerability, described as a cross-site scripting (XSS) flaw, was discovered in Popup Builder version 4.2.3 and older, in November last year.
Popup Builder is a popular plugin for WordPress websites which, as the name suggests, allows website administrators to build and deploy popup windows. As per WordPress data, there are more than 80,000 websites currently using Popup Builder 4.1 and older. These older versions, susceptible to an attack, allow threat actors to deploy malicious code inside the WordPress website.
Securing the website
This code, the researchers explain, can redirect visitors to malicious websites, such as phishing sites, pages hosting malware, and more.
Sucuri claims 1,170 websites have been compromised via this bug in the past couple of weeks, while PublicWWW puts the figure at around 3,300.
To defend against these attackers, webmasters can do a couple of things: First – they can (and they should) update their plugins. Popup Builder addressed the flaw in version 4.2.7.
Webmasters should also analyze their site’s code for malicious entries from the plugin’s custom sections. Furthermore, they should scan for hidden backdoors to prevent the attackers from moving back in. Finally, they should block “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com” domains, as that is where the attacks come from.
Attacks against WordPress plugins and themes are nothing new. As WordPress is generally considered a safe web hosting and design platform, threat actors usually hunt for flaws in third-party additions.
Via BleepingComputer