Thousands of Sites with Popup Builder Compromised by Balada Injector

[nicolaasjan]

Content source

https://blog.sucuri.net/2024/01/thousands-of-sites-with-popup-builder-compromised-by-balada-injector.html

On December 11, 2023 WPScan published Marc Montpas’ research on the stored XSS vulnerability in the popular Popup Builder plugin (200,000+ active installation) that was fixed in version 4.2.3.
A couple of days later, on December 13th, the Balada Injector campaign started infecting websites with older versions of the Popup Builder. The attack used a freshly registered (December 13) domain specialcraftbox[.]com At the current time of writing PublicWWW detects the injection on over 6,200 sites.