Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin

On December 11, 2023, Wordfence added an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin to their Wordfence Intelligence Vulnerability Database. This vulnerability, which was originally reported by WPScan, allows an unauthenticated attacker to inject arbitrary JavaScript that will be executed whenever a user accesses an injected page.

Later on January 10th, 2024 they received an interesting malware submission demonstrating how a Cross-Site Scripting (XSS) vulnerability in single plugin can allow an unauthenticated attacker to inject an arbitrary administrative account that can be used to take over a website. This type of vulnerability is often exploited in order to add spam content or malicious redirects to a compromised website. However, this time they found a successful attempt to directly inject a WordPress administrator account, one of the few they’ve been able to definitively attribute to this technique with the evidence still preserved.

Paid Wordfence users received a malware signature to detect this malicious file on January 11th, 2024. Wordfence free users received this signature after 30 days on February 11th, 2024. In addition all WordFence users are protected against any exploits targeting this vulnerability.

Source and more details: https://www.wordfence.com/blog/2024/01/website-takeover-campaign-takes-advantage-of-unauthenticated-cross-site-scripting-vulnerability-in-popup-builder-plugin

Posted in Updates, Vulnerability.