"Nearly 7K WordPress Sites Compromised by Balada Injector"

According to security researchers at Jscrambler, about 6,700 WordPress websites have been infected with the Balada Injector malware after using a Popup Builder plug-in with a cross-site scripting (XSS) vulnerability tracked as CVE-2023-6000.  The researchers noted that the Balada Injector campaign is long-running (since 2017) and is an operation that has compromised more than 1 million WordPress sites in the past six years.  The researchers said that in the attack, a backdoor is injected to redirect visitors from a legitimate WordPress site to fake support pages and compromised or scam websites.  The threat actors in the most recent wave of activity exploited the XSS vulnerability to take over Popup Builder's "sgpbWillOpen" event and clear the way for malicious JavaScript code injection after the launch of a popup.  Threat actors executed the JavaScript code by making changes to the "wp-blog-header.php" file.  The researchers noted that this vulnerable version of the Popup Builder plug-in has more than 200,000 installations, so more infections could be coming.

Dark Reading reports: "Nearly 7K WordPress Sites Compromised by Balada Injector"