CVE-2023-6000 XSS Vulnerability

Hackers have been compromising WordPress websites by exploiting a vulnerability found in outdated versions of the Popup Builder plugin. This has resulted in the infection of over 3,300 websites with lousy code. The vulnerability, known as CVE-2023-6000, is a cross-site scripting (XSS) vulnerability affecting Popup Builder versions 4.2.3 and earlier. It was first disclosed in November 2023.

At the beginning of 2024, a Balada Injector campaign was discovered, utilizing this specific vulnerability to infect more than 6,700 websites. This highlights the fact that many site administrators had not promptly applied patches to mitigate the risk. Recently, information security researchers have identified a new campaign exhibiting a significant increase in activity, targeting the same vulnerability present in the WordPress plugin.

Evidence suggests that code injections associated with this latest campaign have been detected in over 3,000 WordPress sites.

The Attack Chain Exploiting the CVE-2023-6000 XSS Vulnerability

The attacks infect the WordPress admin interface's Custom JavaScript or Custom CSS sections, while the wrong code is stored within the 'wp_postmeta' database table. The primary function of the injected code is to act as event handlers for various Popup Builder plugin events, such as 'sgpb-ShouldOpen', 'sgpb-ShouldClose', 'sgpb-WillOpen', 'sgpbDidOpen', 'sgpbWillClose', and 'sgpb-DidClose.' By doing that, the wrong code is triggered by specific plugin actions, like when a popup opens or closes.

The exact actions of the code may vary. Still, the primary purpose of the injections appears to be redirecting visitors of infected sites to unsafe destinations such as phishing pages and malware-dropping sites.

Specifically, in some infections, the researchers observed the code injecting a redirect URL - 'http://ttincoming.traveltraffic.cc/?traffic,' as the 'redirect-url' parameter for a 'contact-form-7' popup. The injection then retrieves the bad code snippet from an external source and injects it into the browser's webpage head for execution.

Practically, it is possible for the attackers to achieve a range of harmful goals through this method, many potentially being more severe than redirections.

Take Measures to Protect against the CVE-2023-6000 Vulnerability

To effectively mitigate these attacks, it's advisable to block access from the two specific domains from which the attacks originate. Additionally, if you're utilizing the Popup Builder plugin on your website, it's crucial to update to the latest version, which is currently version 4.2.7. This update addresses not only CVE-2023-6000 but also other security vulnerabilities that may exist.

According to WordPress statistics, there are approximately 80,000 active sites still using Popup Builder versions 4.1 and older. This indicates a substantial attack surface that remains vulnerable. In the event of an infection, the removal process involves deleting any unsafe entries present in the Popup Builder's custom sections. Moreover, it's essential to conduct thorough scans to identify and remove any hidden backdoors that could lead to reinfection.